privacyguides/privacyguides.org
1
1
Fork 0
mirror of https://github.com/privacyguides/privacyguides.org.git synced 2026-05-19 01:41:21 +00:00
Code Issues Activity

style: Finish converting admonitions

Browse Source
This commit is contained in:
Jonah Aragon
2026-05-18 13:50:20 -05:00
parent 61332c76c5
commit 68bccb567f
6 changed files with 40 additions and 106 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+2 -11
View File
@@ -32,8 +32,6 @@
<img src="https://badges.crowdin.net/privacyguides/localized.svg"></a>
<a href="https://github.com/sponsors/privacyguides#sponsors">
<img src="https://img.shields.io/github/sponsors/privacyguides"></a>
<a href="https://squidfunk.github.io/mkdocs-material/">
<img src="https://img.shields.io/badge/Material_for_MkDocs-526CFE?logo=MaterialForMkDocs&logoColor=white"></a>
<a href="https://github.com/privacyguides/privacyguides.org/actions/workflows/publish-release.yml">
<img src="https://img.shields.io/github/actions/workflow/status/privacyguides/privacyguides.org/publish-release.yml?label=release"></a></p>
</div>
@@ -42,7 +40,7 @@
**Privacy Guides** is a socially motivated website that provides information for protecting your data security and privacy. Our mission is to inform the public about the value of digital privacy, and global government initiatives which aim to monitor your online activity. We are a non-profit collective operated entirely by volunteer team members and contributors. Our website is free of advertisements and not affiliated with any of the listed providers.
The current list of team members can be found on [the executive committee page](https://www.privacyguides.org/en/about/#executive-committee). Additionally, [many people](#contributors) have made contributions to the project, and you can too!
The current list of team members can be found on [the executive committee page](https://www.privacyguides.org/en/about/#executive-committee). Additionally, many people have made contributions to the project, and you can too!
*Featured on: [Tweakers](https://tweakers.net/reviews/10568/op-zoek-naar-privacyvriendelijke-tools-niek-de-wilde-van-privacy-guides.html), [The New York Times](https://nytimes.com/wirecutter/guides/online-security-social-media-privacy), [Wired](https://wired.com/story/firefox-mozilla-2022), and [Fast Company](https://www.fastcompany.com/91167564/mozilla-wants-you-to-love-firefox-again).*
@@ -58,13 +56,6 @@ The current list of team members can be found on [the executive committee page](
- View the list of [approved topics waiting for a PR](https://discuss.privacyguides.net/tag/approved)
- Read some writing tips in our [style guide](https://www.privacyguides.org/en/meta/writing-style)
All contributors to the site are listed [here](#contributors). If you have contributed to the website or project, please [add yourself](https://github.com/privacyguides/privacyguides.org/issues/2524) to the list or ask @jonaharagon to make the change.
## Mirrors
- **GitHub Pages:** [privacyguides.github.io/privacyguides.org](https://privacyguides.github.io/privacyguides.org/en/)
- **BunnyCDN:** [privacyguides-org-production.b-cdn.net](https://privacyguides-org-production.b-cdn.net/en/)
### Alternative Networks
> [!NOTE]
@@ -82,7 +73,7 @@ All contributors to the site are listed [here](#contributors). If you have contr
## License
Copyright &copy; 2019 - 2024 [Privacy Guides contributors](#contributors).
Copyright &copy; 20192026 Privacy Guides contributors.
Privacy Guides content is licensed under the [Creative Commons Attribution-ShareAlike 4.0 International Public License](/LICENSE), and the underlying source code used to format and display that content on [www.privacyguides.org](https://www.privacyguides.org) is licensed under the [MIT License](/LICENSE-CODE).
content/wiki/advanced/payments/index.md
+6 -16
View File
@@ -45,15 +45,10 @@ These tend to be good options for recurring/subscription payments online, while
Cryptocurrencies are a digital form of currency designed to work without central authorities such as a government or bank. While *some* cryptocurrency projects can allow you to make private transactions online, many use a transparent blockchain which does not provide any transaction privacy. Cryptocurrencies also tend to be very volatile assets, meaning their value can change rapidly and significantly. As such, we generally don't recommend using cryptocurrency as a long-term store of value. If you decide to use cryptocurrency online, make sure you have a full understanding of its privacy aspects beforehand, and only purchase amounts which would not be disastrous to lose.
<!-- TODO: Admonition -->
<div class="admonition danger" markdown>
<p class="admonition-title">Danger</p>
The vast majority of cryptocurrencies operate on a **transparent** blockchain, meaning that every transaction's details are public knowledge. This includes most well-known cryptocurrencies like Bitcoin and Ethereum. Transactions with these cryptocurrencies should not be considered private and will not protect your anonymity.
Additionally, many if not most cryptocurrencies are scams. Make transactions carefully with only projects you trust. Transactions are irreversible and do not include any consumer protections.
</div>
> [!CAUTION]
> The vast majority of cryptocurrencies operate on a **transparent** blockchain, meaning that every transaction's details are public knowledge. This includes most well-known cryptocurrencies like Bitcoin and Ethereum. Transactions with these cryptocurrencies should not be considered private and will not protect your anonymity.
>
> Additionally, many if not most cryptocurrencies are scams. Make transactions carefully with only projects you trust. Transactions are irreversible and do not include any consumer protections.
### Privacy Coins
@@ -89,10 +84,5 @@ When you're making a payment in person with cash, make sure to keep your in-pers
When purchasing online, ideally you should do so over [Tor](../tor-overview/index.md). However, many merchants dont allow purchases with Tor. You can consider using a [recommended VPN](../../../tools/services/vpn/index.md) (paid for with cash, gift card, or Monero), or making the purchase from a coffee shop or library with free Wi-Fi. If you are ordering a physical item that needs to be delivered, you will need to provide a delivery address. You should consider using a PO box, private mailbox, or work address.
<!-- TODO: Admonition -->
<div class="admonition tip" markdown>
<p class="admonition-title">Important notices</p>
The content here is not legal or financial advice. We do not endorse or encourage illicit activities, and we do not endorse or encourage anything which violates a company's terms of service. Check with a professional to confirm that these recommendations are legal and available in your jurisdiction. [See all notices](../../../about/notices.md).
</div>
> [!NOTE]
> The content here is not legal or financial advice. We do not endorse or encourage illicit activities, and we do not endorse or encourage anything which violates a company's terms of service. Check with a professional to confirm that these recommendations are legal and available in your jurisdiction. [See all notices](../../../about/notices.md).
content/wiki/advanced/tor-overview/index.md
+6 -11
View File
@@ -57,17 +57,12 @@ Setting up bad configurations like these is difficult to do accidentally, becaus
---
<!-- TODO: Admonition -->
<div class="admonition info" markdown>
<p class="admonition-title">VPN/SSH Fingerprinting</p>
The Tor Project [notes](https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorPlusVPN#vpnssh-fingerprinting) that *theoretically* using a VPN to hide Tor activities from your ISP may not be foolproof. VPNs have been found to be vulnerable to website traffic fingerprinting, where an adversary can still guess what website is being visited because all websites have specific traffic patterns.
Therefore, it's not unreasonable to believe that encrypted Tor traffic hidden by a VPN could also be detected via similar methods. There are no research papers on this subject, and we still consider the benefits of using a VPN to far outweigh these risks, but it is something to keep in mind.
If you still believe that pluggable transports (bridges) provide additional protection against website traffic fingerprinting that a VPN does not, you always have the option to use a bridge **and** a VPN in conjunction.
</div>
> [!CAUTION]
> The Tor Project [notes](https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorPlusVPN#vpnssh-fingerprinting) that *theoretically* using a VPN to hide Tor activities from your ISP may not be foolproof. VPNs have been found to be vulnerable to website traffic fingerprinting, where an adversary can still guess what website is being visited because all websites have specific traffic patterns.
>
> Therefore, it's not unreasonable to believe that encrypted Tor traffic hidden by a VPN could also be detected via similar methods. There are no research papers on this subject, and we still consider the benefits of using a VPN to far outweigh these risks, but it is something to keep in mind.
>
> If you still believe that pluggable transports (bridges) provide additional protection against website traffic fingerprinting that a VPN does not, you always have the option to use a bridge **and** a VPN in conjunction.
Determining whether you should first use a VPN to connect to the Tor network will require some common sense and knowledge of your own government's and ISP's policies relating to what you're connecting to. To reiterate, though, you will be better off being seen as connecting to a commercial VPN network than directly to the Tor network in most cases. If VPN providers are censored in your area, then you can also consider using Tor pluggable transports (e.g., Snowflake or meek bridges) as an alternative, but using these bridges may arouse more suspicion than standard WireGuard/OpenVPN tunnels.
content/wiki/basics/common-threats/index.md
+14 -36
View File
@@ -64,7 +64,7 @@ To minimize the damage that a malicious piece of software *could* do, you should
> [!TIP]
> Mobile operating systems generally have better application sandboxing than desktop operating systems: Apps can't obtain root access, and require permission for access to system resources.
>
>
> Desktop operating systems generally lag behind on proper sandboxing. ChromeOS has similar sandboxing capabilities to Android, and macOS has full system permission control (and developers can opt in to sandboxing for applications). However, these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make significant use of virtual machines or containers, such as [Qubes OS](../../../tools/os/desktop/index.md#qubes-os).
@@ -86,13 +86,8 @@ If you are concerned about **physical attacks** you should use an operating syst
Supply chain attacks are frequently a form of <span class="pg-red">:material-target-account: Targeted Attack</span> towards businesses, governments, and activists, although they can end up compromising the public at large as well.
<!-- TODO: Admonition -->
<div class="admonition example" markdown>
<p class="admonition-title">Example</p>
A notable example of this occurred in 2017 when M.E.Doc, a popular accounting software in Ukraine, was infected with the *NotPetya* virus, subsequently infecting people who downloaded that software with ransomware. NotPetya itself was a ransomware attack which impacted 2000+ companies in various countries, and was based on the *EternalBlue* exploit developed by the NSA to attack Windows computers over the network.
</div>
> [!NOTE]
> A notable example of this occurred in 2017 when M.E.Doc, a popular accounting software in Ukraine, was infected with the *NotPetya* virus, subsequently infecting people who downloaded that software with ransomware. NotPetya itself was a ransomware attack which impacted 2000+ companies in various countries, and was based on the *EternalBlue* exploit developed by the NSA to attack Windows computers over the network.
There are few ways in which this type of attack might be carried out:
@@ -118,17 +113,12 @@ The obvious problem with this is that the service provider (or a hacker who has
Thankfully, E2EE can alleviate this issue by encrypting communications between you and your desired recipients before they are even sent to the server. The confidentiality of your messages is guaranteed, assuming the service provider doesn't have access to the private keys of either party.
<!-- TODO: Admonition -->
<div class="admonition note" markdown>
<p class="admonition-title">Note on Web-based Encryption</p>
In practice, the effectiveness of different E2EE implementations varies. Applications, such as [Signal](../../../tools/services/messengers/index.md#signal), run natively on your device, and every copy of the application is the same across different installations. If the service provider were to introduce a [backdoor](https://en.wikipedia.org/wiki/Backdoor_(computing)) in their application—in an attempt to steal your private keys—it could later be detected with [reverse engineering](https://en.wikipedia.org/wiki/Reverse_engineering).
On the other hand, web-based E2EE implementations, such as Proton Mail's web app or Bitwarden's *Web Vault*, rely on the server dynamically serving JavaScript code to the browser to handle cryptography. A malicious server can target you and send you malicious JavaScript code to steal your encryption key (and it would be extremely hard to notice). Because the server can choose to serve different web clients to different people—even if you noticed the attack—it would be incredibly hard to prove the provider's guilt.
Therefore, you should use native applications over web clients whenever possible.
</div>
> [!IMPORTANT]
> In practice, the effectiveness of different E2EE implementations varies. Applications, such as [Signal](../../../tools/services/messengers/index.md#signal), run natively on your device, and every copy of the application is the same across different installations. If the service provider were to introduce a [backdoor](https://en.wikipedia.org/wiki/Backdoor_(computing)) in their application—in an attempt to steal your private keys—it could later be detected with [reverse engineering](https://en.wikipedia.org/wiki/Reverse_engineering).
>
> On the other hand, web-based E2EE implementations, such as Proton Mail's web app or Bitwarden's *Web Vault*, rely on the server dynamically serving JavaScript code to the browser to handle cryptography. A malicious server can target you and send you malicious JavaScript code to steal your encryption key (and it would be extremely hard to notice). Because the server can choose to serve different web clients to different people—even if you noticed the attack—it would be incredibly hard to prove the provider's guilt.
>
> Therefore, you should use native applications over web clients whenever possible.
Even with E2EE, service providers can still profile you based on **metadata**, which typically isn't protected. While the service provider can't read your messages, they can still observe important things, such as whom you're talking to, how often you message them, and when you're typically active. Protection of metadata is fairly uncommon, and—if it's within your [threat model](../threat-modeling/index.md)—you should pay close attention to the technical documentation of the software you're using to see if there's any metadata minimization or protection at all.
@@ -138,25 +128,13 @@ Even with E2EE, service providers can still profile you based on **metadata**, w
Mass surveillance is the intricate effort to monitor the "behavior, many activities, or information" of an entire (or substantial fraction of a) population.[^1] It often refers to government programs, such as the ones [disclosed by Edward Snowden in 2013](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)). However, it can also be carried out by corporations, either on behalf of government agencies or by their own initiative.
<!-- TODO: Admonition -->
<div class="admonition abstract" markdown>
<p class="admonition-title">Atlas of Surveillance</p>
If you want to learn more about surveillance methods and how they're implemented in your city you can also take a look at the [Atlas of Surveillance](https://atlasofsurveillance.org) by the [Electronic Frontier Foundation](https://eff.org).
In France, you can take a look at the [Technopolice website](https://technopolice.fr/villes) maintained by the non-profit association La Quadrature du Net.
</div>
> [!NOTE]
> If you want to learn more about surveillance methods and how they're implemented in your city you can also take a look at the [Atlas of Surveillance](https://atlasofsurveillance.org) by the [Electronic Frontier Foundation](https://eff.org). In France, you can take a look at the [Technopolice website](https://technopolice.fr/villes) maintained by the non-profit association La Quadrature du Net.
Governments often justify mass surveillance programs as necessary means to combat terrorism and prevent crime. However, as breaches of human rights, they're most often used to disproportionately target minority groups and political dissidents, among others.
<!-- TODO: Admonition -->
<div class="admonition quote" markdown>
<p class="admonition-title">ACLU: <em><a href="https://aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward">The Privacy Lesson of 9/11: Mass Surveillance is Not the Way Forward</a></em></p>
In the face of Edward Snowden's disclosures of government programs such as [PRISM](https://en.wikipedia.org/wiki/PRISM) and [Upstream](https://en.wikipedia.org/wiki/Upstream_collection), intelligence officials also admitted that the NSA had for years been secretly collecting records about virtually every Americans phone calls — whos calling whom, when those calls are made, and how long they last. This kind of information, when amassed by the NSA day after day, can reveal incredibly sensitive details about peoples lives and associations, such as whether they have called a pastor, an abortion provider, an addiction counselor, or a suicide hotline.
</div>
> In the face of Edward Snowden's disclosures of government programs such as [PRISM](https://en.wikipedia.org/wiki/PRISM) and [Upstream](https://en.wikipedia.org/wiki/Upstream_collection), intelligence officials also admitted that the NSA had for years been secretly collecting records about virtually every Americans phone calls — whos calling whom, when those calls are made, and how long they last. This kind of information, when amassed by the NSA day after day, can reveal incredibly sensitive details about peoples lives and associations, such as whether they have called a pastor, an abortion provider, an addiction counselor, or a suicide hotline.
<br>— ACLU: <em><a href="https://aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward">The Privacy Lesson of 9/11: Mass Surveillance is Not the Way Forward</a></em>
Despite growing mass surveillance in the United States, the government has found that mass surveillance programs like Section 215 have had "little unique value" with respect to stopping actual crimes or terrorist plots, with efforts largely duplicating the FBI's own targeted surveillance programs.[^2]
@@ -204,7 +182,7 @@ People concerned with the threat of censorship can use technologies like [Tor](.
> [!TIP]
> While evading censorship itself can be easy, hiding the fact that you are doing it can be very problematic.
>
>
> You should consider which aspects of the network your adversary can observe, and whether you have plausible deniability for your actions. For example, using [encrypted DNS](../../advanced/dns-overview/index.md#what-is-encrypted-dns) can help you bypass rudimentary, DNS-based censorship systems, but it can't truly hide what you are visiting from your ISP. A VPN or Tor can help hide what you are visiting from network administrators, but can't hide that you're using those networks in the first place. Pluggable transports (such as Obfs4proxy, Meek, or Shadowsocks) can help you evade firewalls that block common VPN protocols or Tor, but your circumvention attempts can still be detected by methods like probing or [deep packet inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection).
content/wiki/basics/passwords-overview/index.md
+10 -25
View File
@@ -26,13 +26,8 @@ You should avoid changing passwords that you have to remember (such as your pass
When it comes to passwords that you don't have to remember (such as passwords stored inside your password manager), if your [threat model](../threat-modeling/index.md) calls for it, we recommend going through important accounts (especially accounts that don't use multifactor authentication) and changing their password every couple of months, in case they have been compromised in a data breach that hasn't become public yet. Most password managers allow you to set an expiry date for your password to make this easier to manage.
<!-- TODO: Admonition -->
<div class="admonition tip" markdown>
<p class="admonition-title">Checking for data breaches</p>
If your password manager lets you check for compromised passwords, make sure to do so and promptly change any password that may have been exposed in a data breach. Alternatively, you could follow [Have I Been Pwned's Latest Breaches feed](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) with the help of a [news aggregator](../../../tools/software/news-aggregators/index.md).
</div>
> [!TIP]
> If your password manager lets you check for compromised passwords, make sure to do so and promptly change any password that may have been exposed in a data breach. Alternatively, you could follow [Have I Been Pwned's Latest Breaches feed](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) with the help of a [news aggregator](../../../tools/software/news-aggregators/index.md).
## Creating strong passwords
@@ -64,13 +59,8 @@ To generate a diceware passphrase using real dice, follow these steps:
4. Repeat this process until your passphrase has as many words as you need, which you should separate with a space.
<!-- TODO: Admonition -->
<div class="admonition warning" markdown>
<p class="admonition-title">Important</p>
You should **not** re-roll words until you get a combination of words that appeal to you. The process should be completely random.
</div>
> [!IMPORTANT]
> You should **not** re-roll words until you get a combination of words that appeal to you. The process should be completely random.
If you don't have access to or would prefer to not use real dice, you can use your password manager's built-in password generator, as most of them have the option to generate diceware passphrases in addition to regular passwords. We recommend setting the generated passphrase length to at least 6 words.
@@ -160,17 +150,12 @@ There are many good options to choose from, both cloud-based and local. Choose o
[List of recommended password managers](../../../tools/software/passwords/index.md){ .md-button }
<!-- TODO: Admonition -->
<div class="admonition warning" markdown>
<p class="admonition-title">Don't place your passwords and TOTP tokens inside the same password manager</p>
When using [TOTP codes as multifactor authentication](../multi-factor-authentication/index.md#time-based-one-time-password-totp), the best security practice is to keep your TOTP codes in a [separate app](../../../tools/software/multi-factor-authentication/index.md).
Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager.
Furthermore, we do not recommend storing single-use recovery codes in your password manager. Those should be stored separately such as in an encrypted container on an offline storage device.
</div>
> [!IMPORTANT]
> When using [TOTP codes as multifactor authentication](../multi-factor-authentication/index.md#time-based-one-time-password-totp), the best security practice is to keep your TOTP codes in a [separate app](../../../tools/software/multi-factor-authentication/index.md).
>
> Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager.
>
> Furthermore, we do not recommend storing single-use recovery codes in your password manager. Those should be stored separately such as in an encrypted container on an offline storage device.
### Backups
content/wiki/os/windows/_index.md
+2 -7
View File
@@ -17,13 +17,8 @@ You can enhance your privacy and security on Windows without downloading any thi
- Application Sandboxing (coming soon)
- Security Hardening (coming soon)
<!-- TODO: Admonition -->
<div class="admonition example" markdown>
<p class="admonition-title">This section is new</p>
This section is a work in progress, because it takes considerably more time and effort to make a Windows installation more privacy-friendly than other operating systems.
</div>
> [!NOTE]
> This section is a work in progress, because it takes considerably more time and effort to make a Windows installation more privacy-friendly than other operating systems.
## Privacy Notes