mirror of
https://github.com/privacyguides/privacyguides.org.git
synced 2026-05-31 23:49:15 +00:00
refactor: Ensure relative links are correct
This commit is contained in:
@@ -35,7 +35,7 @@ The most common way to create a new account is by an email address and password.
|
||||
|
||||
You will be responsible for managing your login credentials. For added security, you can set up [MFA](../multi-factor-authentication/_index.md) on your accounts.
|
||||
|
||||
[Recommended password managers](../../tools/software/passwords/_index.md){ .md-button }
|
||||
[Recommended password managers](../../../tools/software/passwords/_index.md){ .md-button }
|
||||
|
||||
#### Email aliases
|
||||
|
||||
@@ -43,7 +43,7 @@ If you don't want to give your real email address to a service, you have the opt
|
||||
|
||||
Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked.
|
||||
|
||||
[Recommended email aliasing services](../../tools/services/email-aliasing/_index.md){ .md-button }
|
||||
[Recommended email aliasing services](../../../tools/services/email-aliasing/_index.md){ .md-button }
|
||||
|
||||
### "Sign in with..." (OAuth)
|
||||
|
||||
|
||||
@@ -43,13 +43,13 @@ Residents of the EEA have additional rights regarding data erasure specified in
|
||||
|
||||
In some situations where you plan to abandon an account, it may make sense to overwrite the account information with fake data. Once you've made sure you can log in, change all the information in your account to falsified information. The reason for this is that many sites will retain information you previously had even after account deletion. The hope is that they will overwrite the previous information with the newest data you entered. However, there is no guarantee that there won't be backups with the prior information.
|
||||
|
||||
For the account email, either create a new alternate email account via your provider of choice or create an alias using an [email aliasing service](../../tools/services/email-aliasing/_index.md). You can then delete your alternate email address once you are done. We recommend against using temporary email providers, as oftentimes it is possible to reactivate temporary emails.
|
||||
For the account email, either create a new alternate email account via your provider of choice or create an alias using an [email aliasing service](../../../tools/services/email-aliasing/_index.md). You can then delete your alternate email address once you are done. We recommend against using temporary email providers, as oftentimes it is possible to reactivate temporary emails.
|
||||
|
||||
### Delete
|
||||
|
||||
You can check [JustDeleteMe](https://justdeleteme.xyz) for instructions on deleting the account for a specific service. Some sites will graciously have a "Delete Account" option, while others will go as far as to force you to speak with a support agent. The deletion process can vary from site to site, with account deletion being impossible on some.
|
||||
|
||||
For services that don't allow account deletion, the best thing to do is falsify all your information as previously mentioned and strengthen account security. To do so, enable [MFA](../multi-factor-authentication/_index.md) and any extra security features offered. As well, change the password to a randomly-generated one that is the maximum allowed size (a [password manager](../../tools/software/passwords/_index.md) can be useful for this).
|
||||
For services that don't allow account deletion, the best thing to do is falsify all your information as previously mentioned and strengthen account security. To do so, enable [MFA](../multi-factor-authentication/_index.md) and any extra security features offered. As well, change the password to a randomly-generated one that is the maximum allowed size (a [password manager](../../../tools/software/passwords/_index.md) can be useful for this).
|
||||
|
||||
If you're satisfied that all information you care about is removed, you can safely forget about this account. If not, it might be a good idea to keep the credentials stored with your other passwords and occasionally re-login to reset the password.
|
||||
|
||||
|
||||
@@ -23,7 +23,7 @@ We talk about "shifting trust" a lot when discussing solutions like VPNs (which
|
||||
|
||||
## "Privacy-focused solutions are inherently trustworthy"
|
||||
|
||||
Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like [Cryptomator](../../tools/software/encryption/_index.md#cryptomator-cloud)) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider.
|
||||
Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like [Cryptomator](../../../tools/software/encryption/_index.md#cryptomator-cloud)) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider.
|
||||
|
||||
The privacy policies and business practices of providers you choose are very important, but should be considered secondary to technical guarantees of your privacy: You shouldn't shift trust to another provider when trusting a provider isn't a requirement at all.
|
||||
|
||||
@@ -50,7 +50,7 @@ One of the clearest threat models is one where people *know who you are* and one
|
||||
|
||||
2. **Unknown identity** - An unknown identity could be a stable pseudonym that you regularly use. It is not anonymous because it doesn't change. If you're part of an online community, you may wish to retain a persona that others know. This pseudonym isn't anonymous because—if monitored for long enough—details about the owner can reveal further information, such as the way they write, their general knowledge about topics of interest, etc.
|
||||
|
||||
You may wish to use a VPN for this, to mask your IP address. Financial transactions are more difficult to mask: You could consider using anonymous cryptocurrencies, such as [Monero](../../tools/software/cryptocurrency/_index.md#monero). Employing altcoin shifting may also help to disguise where your currency originated. Typically, exchanges require KYC (know your customer) to be completed before they'll allow you to exchange fiat currency into any kind of cryptocurrency. Local meet-up options may also be a solution; however, those are often more expensive and sometimes also require KYC.
|
||||
You may wish to use a VPN for this, to mask your IP address. Financial transactions are more difficult to mask: You could consider using anonymous cryptocurrencies, such as [Monero](../../../tools/software/cryptocurrency/_index.md#monero). Employing altcoin shifting may also help to disguise where your currency originated. Typically, exchanges require KYC (know your customer) to be completed before they'll allow you to exchange fiat currency into any kind of cryptocurrency. Local meet-up options may also be a solution; however, those are often more expensive and sometimes also require KYC.
|
||||
|
||||
3. **Anonymous identity** - Even with experience, anonymous identities are difficult to maintain over long periods of time. They should be short-term and short-lived identities which are rotated regularly.
|
||||
|
||||
|
||||
@@ -65,7 +65,7 @@ To minimize the damage that a malicious piece of software *could* do, you should
|
||||
> [!TIP]
|
||||
> Mobile operating systems generally have better application sandboxing than desktop operating systems: Apps can't obtain root access, and require permission for access to system resources.
|
||||
>
|
||||
> Desktop operating systems generally lag behind on proper sandboxing. ChromeOS has similar sandboxing capabilities to Android, and macOS has full system permission control (and developers can opt in to sandboxing for applications). However, these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make significant use of virtual machines or containers, such as [Qubes OS](../../tools/os/desktop/_index.md#qubes-os).
|
||||
> Desktop operating systems generally lag behind on proper sandboxing. ChromeOS has similar sandboxing capabilities to Android, and macOS has full system permission control (and developers can opt in to sandboxing for applications). However, these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make significant use of virtual machines or containers, such as [Qubes OS](../../../tools/os/desktop/_index.md#qubes-os).
|
||||
|
||||
|
||||
## Attacks against Specific Individuals
|
||||
@@ -122,7 +122,7 @@ Thankfully, E2EE can alleviate this issue by encrypting communications between y
|
||||
<div class="admonition note" markdown>
|
||||
<p class="admonition-title">Note on Web-based Encryption</p>
|
||||
|
||||
In practice, the effectiveness of different E2EE implementations varies. Applications, such as [Signal](../../tools/services/messengers/_index.md#signal), run natively on your device, and every copy of the application is the same across different installations. If the service provider were to introduce a [backdoor](https://en.wikipedia.org/wiki/Backdoor_(computing)) in their application—in an attempt to steal your private keys—it could later be detected with [reverse engineering](https://en.wikipedia.org/wiki/Reverse_engineering).
|
||||
In practice, the effectiveness of different E2EE implementations varies. Applications, such as [Signal](../../../tools/services/messengers/_index.md#signal), run natively on your device, and every copy of the application is the same across different installations. If the service provider were to introduce a [backdoor](https://en.wikipedia.org/wiki/Backdoor_(computing)) in their application—in an attempt to steal your private keys—it could later be detected with [reverse engineering](https://en.wikipedia.org/wiki/Reverse_engineering).
|
||||
|
||||
On the other hand, web-based E2EE implementations, such as Proton Mail's web app or Bitwarden's *Web Vault*, rely on the server dynamically serving JavaScript code to the browser to handle cryptography. A malicious server can target you and send you malicious JavaScript code to steal your encryption key (and it would be extremely hard to notice). Because the server can choose to serve different web clients to different people—even if you noticed the attack—it would be incredibly hard to prove the provider's guilt.
|
||||
|
||||
@@ -200,7 +200,7 @@ Censorship online can be carried out (to varying degrees) by actors including to
|
||||
|
||||
Censorship on corporate platforms is increasingly common, as platforms like Twitter and Facebook give in to public demand, market pressures, and pressures from government agencies. Government pressures can be covert requests to businesses, such as the White House [requesting the takedown](https://nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) of a provocative YouTube video, or overt, such as the Chinese government requiring companies to adhere to a strict regime of censorship.
|
||||
|
||||
People concerned with the threat of censorship can use technologies like [Tor](../../advanced/tor-overview/_index.md) to circumvent it, and support censorship-resistant communication platforms like [Matrix](../../tools/software/social-networks/_index.md#element), which doesn't have a centralized account authority that can close accounts arbitrarily.
|
||||
People concerned with the threat of censorship can use technologies like [Tor](../../advanced/tor-overview/_index.md) to circumvent it, and support censorship-resistant communication platforms like [Matrix](../../../tools/software/social-networks/_index.md#element), which doesn't have a centralized account authority that can close accounts arbitrarily.
|
||||
|
||||
> [!TIP]
|
||||
> While evading censorship itself can be easy, hiding the fact that you are doing it can be very problematic.
|
||||
|
||||
@@ -11,9 +11,9 @@ As a result, email is best used for receiving transactional emails (like notific
|
||||
|
||||
## Email Encryption Overview
|
||||
|
||||
The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](../../tools/software/encryption/_index.md#gnu-privacy-guard) and [OpenPGP.js](https://openpgpjs.org).
|
||||
The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](../../../tools/software/encryption/_index.md#gnu-privacy-guard) and [OpenPGP.js](https://openpgpjs.org).
|
||||
|
||||
Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../../tools/services/messengers/_index.md) which implement forward secrecy over email for person-to-person communications whenever possible.
|
||||
Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../../../tools/services/messengers/_index.md) which implement forward secrecy over email for person-to-person communications whenever possible.
|
||||
|
||||
There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP.
|
||||
|
||||
@@ -21,7 +21,7 @@ There is another standard which is popular with business called [S/MIME](https:/
|
||||
|
||||
The [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD) standard allows email clients to discover the OpenPGP key for other mailboxes, even those hosted on a different provider. Email clients which support WKD will ask the recipient's server for a key based on the email address' domain name. For example, if you emailed `jonah@privacyguides.org`, your email client would ask `privacyguides.org` for Jonah's OpenPGP key, and if `privacyguides.org` has a key for that account, your message would be automatically encrypted.
|
||||
|
||||
In addition to the [email clients we recommend](../../tools/software/email-clients/_index.md) which support WKD, some webmail providers also support WKD. Whether *your own* key is published to WKD for others to use depends on your domain configuration. If you use an [email provider](../../tools/services/email/_index.md#openpgp-compatible-services) which supports WKD, such as Proton Mail or Mailbox Mail, they can publish your OpenPGP key on their domain for you.
|
||||
In addition to the [email clients we recommend](../../../tools/software/email-clients/_index.md) which support WKD, some webmail providers also support WKD. Whether *your own* key is published to WKD for others to use depends on your domain configuration. If you use an [email provider](../../../tools/services/email/_index.md#openpgp-compatible-services) which supports WKD, such as Proton Mail or Mailbox Mail, they can publish your OpenPGP key on their domain for you.
|
||||
|
||||
If you use your own custom domain, you will need to configure WKD separately. If you control your domain name, you can set up WKD regardless of your email provider. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from the `keys.openpgp.org` server: Set a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then upload your key to [keys.openpgp.org](https://keys.openpgp.org). Alternatively, you can [self-host WKD on your own web server](https://wiki.gnupg.org/WKDHosting).
|
||||
|
||||
@@ -29,11 +29,11 @@ If you use a shared domain from a provider which doesn't support WKD, like `@gma
|
||||
|
||||
### What Email Clients Support E2EE?
|
||||
|
||||
Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../../tools/software/email-clients/_index.md). Depending on the authentication method, this may lead to decreased security if either the provider or the email client does not support [OAuth](../account-creation/_index.md#sign-in-with-oauth) or a bridge application as [multifactor authentication](../multi-factor-authentication/_index.md) is not possible with plain password authentication.
|
||||
Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../../../tools/software/email-clients/_index.md). Depending on the authentication method, this may lead to decreased security if either the provider or the email client does not support [OAuth](../account-creation/_index.md#sign-in-with-oauth) or a bridge application as [multifactor authentication](../multi-factor-authentication/_index.md) is not possible with plain password authentication.
|
||||
|
||||
### How Do I Protect My Private Keys?
|
||||
|
||||
A smart card (such as a [YubiKey](https://support.yubico.com/hc/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) or [Nitrokey](../../tools/hardware/security-keys/_index.md#nitrokey)) works by receiving an encrypted email message from a device (phone, tablet, computer, etc.) running an email/webmail client. The message is then decrypted by the smart card and the decrypted content is sent back to the device.
|
||||
A smart card (such as a [YubiKey](https://support.yubico.com/hc/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) or [Nitrokey](../../../tools/hardware/security-keys/_index.md#nitrokey)) works by receiving an encrypted email message from a device (phone, tablet, computer, etc.) running an email/webmail client. The message is then decrypted by the smart card and the decrypted content is sent back to the device.
|
||||
|
||||
It is advantageous for the decryption to occur on the smart card to avoid possibly exposing your private key to a compromised device.
|
||||
|
||||
|
||||
@@ -57,7 +57,7 @@ Android defines three [security classes](https://source.android.com/docs/securit
|
||||
|
||||
### Device Encryption
|
||||
|
||||
If your device is [encrypted](../../tools/software/encryption/_index.md), your data is most secure when your device is completely powered off (as opposed to merely asleep), i.e. before you've entered your encryption key or lock screen password for the first time. On phones, this state of higher security is referred to as "Before First Unlock" (BFU), and "After First Unlock" (AFU) once you enter the correct password after a reboot/power-on. AFU is considerably less secure against digital forensics toolkits and other exploits, compared to BFU. Therefore, if you are concerned about an attacker with physical access to your device, you should turn it off fully whenever you aren't using it.
|
||||
If your device is [encrypted](../../../tools/software/encryption/_index.md), your data is most secure when your device is completely powered off (as opposed to merely asleep), i.e. before you've entered your encryption key or lock screen password for the first time. On phones, this state of higher security is referred to as "Before First Unlock" (BFU), and "After First Unlock" (AFU) once you enter the correct password after a reboot/power-on. AFU is considerably less secure against digital forensics toolkits and other exploits, compared to BFU. Therefore, if you are concerned about an attacker with physical access to your device, you should turn it off fully whenever you aren't using it.
|
||||
|
||||
This may be impractical, so consider whether it's worth it, but in either case even AFU mode is effective against most threats, given you are using a strong encryption key.
|
||||
|
||||
@@ -69,7 +69,7 @@ Some threats can't be protected against by your internal components alone. Many
|
||||
|
||||
Hardware keys are devices that use strong cryptography to authenticate you to a device or account. The idea is that because they can not be copied, you can use them to secure accounts in such a way that they can only be accessed with physical possession of the key, eliminating many remote attacks.
|
||||
|
||||
[Recommended Hardware Keys :material-arrow-right-drop-circle:](../../tools/hardware/security-keys/_index.md){ .md-button .md-button--primary } [Learn More about Hardware Keys :material-arrow-right-drop-circle:](../multi-factor-authentication/_index.md#hardware-security-keys){ .md-button }
|
||||
[Recommended Hardware Keys :material-arrow-right-drop-circle:](../../../tools/hardware/security-keys/_index.md){ .md-button .md-button--primary } [Learn More about Hardware Keys :material-arrow-right-drop-circle:](../multi-factor-authentication/_index.md#hardware-security-keys){ .md-button }
|
||||
|
||||
### Camera/Microphone
|
||||
|
||||
@@ -135,6 +135,6 @@ The most important thing to think about with routers is keeping them up-to-date.
|
||||
|
||||
If your router does not support automatic updates, you will need to go to the manufacturer's site to download the updates and apply them manually.
|
||||
|
||||
Many consumer-grade routers aren't supported for very long. If your router isn't supported by the manufacturer anymore, you can check if it's supported by [FOSS firmware](../../tools/os/router-firmware/_index.md). You can also buy routers that come with FOSS firmware installed by default; these tend to be supported longer than most routers.
|
||||
Many consumer-grade routers aren't supported for very long. If your router isn't supported by the manufacturer anymore, you can check if it's supported by [FOSS firmware](../../../tools/os/router-firmware/_index.md). You can also buy routers that come with FOSS firmware installed by default; these tend to be supported longer than most routers.
|
||||
|
||||
Some ISPs provide a combined router/modem. It can be beneficial for security to purchase a separate router and set your ISP router/modem into modem-only mode. This way, even when your ISP-provided router is no longer getting updates, you can still get security updates and patches. It also means any problems that affect your modem won't affect your router and vice versa.
|
||||
|
||||
@@ -35,7 +35,7 @@ Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against
|
||||
|
||||
An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account.
|
||||
|
||||
Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../../tools/hardware/security-keys/_index.md) are not supported [authenticator apps](../../tools/software/multi-factor-authentication/_index.md) are still a good option.
|
||||
Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../../../tools/hardware/security-keys/_index.md) are not supported [authenticator apps](../../../tools/software/multi-factor-authentication/_index.md) are still a good option.
|
||||
|
||||
### Hardware security keys
|
||||
|
||||
@@ -99,7 +99,7 @@ When configuring your MFA method, keep in mind that it is only as secure as your
|
||||
|
||||
You should always have backups for your MFA method. Hardware security keys can get lost, stolen or simply stop working over time. It is recommended that you have a pair of hardware security keys with the same access to your accounts instead of just one.
|
||||
|
||||
When using TOTP with an authenticator app, be sure to back up your recovery keys or the app itself, or copy the "shared secrets" to another instance of the app on a different phone or to an encrypted container (e.g. [VeraCrypt](../../tools/software/encryption/_index.md#veracrypt-disk)).
|
||||
When using TOTP with an authenticator app, be sure to back up your recovery keys or the app itself, or copy the "shared secrets" to another instance of the app on a different phone or to an encrypted container (e.g. [VeraCrypt](../../../tools/software/encryption/_index.md#veracrypt-disk)).
|
||||
|
||||
### Initial Set Up
|
||||
|
||||
@@ -111,7 +111,7 @@ If you have to use email for MFA, make sure that the email account itself is sec
|
||||
|
||||
If you use SMS MFA, use a carrier who will not switch your phone number to a new SIM card without account access, or use a dedicated VoIP number from a provider with similar security to avoid a [SIM swap attack](https://en.wikipedia.org/wiki/SIM_swap_scam).
|
||||
|
||||
[MFA tools we recommend](../../tools/software/multi-factor-authentication/_index.md){ .md-button }
|
||||
[MFA tools we recommend](../../../tools/software/multi-factor-authentication/_index.md){ .md-button }
|
||||
|
||||
## More Places to Set Up MFA
|
||||
|
||||
|
||||
@@ -18,7 +18,7 @@ This is called [credential stuffing](https://en.wikipedia.org/wiki/Credential_st
|
||||
|
||||
<mark>You should **never** rely on yourself to come up with a good password.</mark> We recommend using [randomly generated passwords](#passwords) or [diceware passphrases](#diceware-passphrases) with sufficient entropy to protect your accounts and devices.
|
||||
|
||||
All of our [recommended password managers](../../tools/software/passwords/_index.md) include a built-in password generator that you can use.
|
||||
All of our [recommended password managers](../../../tools/software/passwords/_index.md) include a built-in password generator that you can use.
|
||||
|
||||
### Rotating Passwords
|
||||
|
||||
@@ -30,7 +30,7 @@ When it comes to passwords that you don't have to remember (such as passwords st
|
||||
<div class="admonition tip" markdown>
|
||||
<p class="admonition-title">Checking for data breaches</p>
|
||||
|
||||
If your password manager lets you check for compromised passwords, make sure to do so and promptly change any password that may have been exposed in a data breach. Alternatively, you could follow [Have I Been Pwned's Latest Breaches feed](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) with the help of a [news aggregator](../../tools/software/news-aggregators/_index.md).
|
||||
If your password manager lets you check for compromised passwords, make sure to do so and promptly change any password that may have been exposed in a data breach. Alternatively, you could follow [Have I Been Pwned's Latest Breaches feed](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) with the help of a [news aggregator](../../../tools/software/news-aggregators/_index.md).
|
||||
|
||||
</div>
|
||||
|
||||
@@ -158,13 +158,13 @@ The best way to store your passwords is by using a password manager. They allow
|
||||
|
||||
There are many good options to choose from, both cloud-based and local. Choose one of our recommended password managers and use it to establish strong passwords across all of your accounts. We recommend securing your password manager with a [diceware passphrase](#diceware-passphrases) comprised of at least seven words.
|
||||
|
||||
[List of recommended password managers](../../tools/software/passwords/_index.md){ .md-button }
|
||||
[List of recommended password managers](../../../tools/software/passwords/_index.md){ .md-button }
|
||||
|
||||
<!-- TODO: Admonition -->
|
||||
<div class="admonition warning" markdown>
|
||||
<p class="admonition-title">Don't place your passwords and TOTP tokens inside the same password manager</p>
|
||||
|
||||
When using [TOTP codes as multifactor authentication](../multi-factor-authentication/_index.md#time-based-one-time-password-totp), the best security practice is to keep your TOTP codes in a [separate app](../../tools/software/multi-factor-authentication/_index.md).
|
||||
When using [TOTP codes as multifactor authentication](../multi-factor-authentication/_index.md#time-based-one-time-password-totp), the best security practice is to keep your TOTP codes in a [separate app](../../../tools/software/multi-factor-authentication/_index.md).
|
||||
|
||||
Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager.
|
||||
|
||||
@@ -174,4 +174,4 @@ Furthermore, we do not recommend storing single-use recovery codes in your passw
|
||||
|
||||
### Backups
|
||||
|
||||
You should store an [encrypted](../../tools/software/encryption/_index.md) backup of your passwords on multiple storage devices or a cloud storage provider. This can help you access your passwords if something happens to your primary device or the service you are using.
|
||||
You should store an [encrypted](../../../tools/software/encryption/_index.md) backup of your passwords on multiple storage devices or a cloud storage provider. This can help you access your passwords if something happens to your primary device or the service you are using.
|
||||
|
||||
@@ -14,7 +14,7 @@ Normally, an ISP can see the flow of internet traffic entering and exiting your
|
||||
Using a VPN hides even this information from your ISP, by shifting the trust you place in your network to a server somewhere else in the world. As a result, the ISP then only sees that you are connected to a VPN and nothing about the activity that you're passing through it.
|
||||
|
||||
> [!NOTE]
|
||||
> When we refer to "Virtual Private Networks" on this website, we are usually referring to **commercial** [VPN providers](../../tools/services/vpn/_index.md), who you pay a monthly fee to in exchange for routing your internet traffic securely through their public servers. There are many other forms of VPN, such as ones you host yourself or ones operated by workplaces which allow you to securely connect to internal/employee network resources, however, these VPNs are usually designed for accessing remote networks securely, rather than protecting the privacy of your internet connection.
|
||||
> When we refer to "Virtual Private Networks" on this website, we are usually referring to **commercial** [VPN providers](../../../tools/services/vpn/_index.md), who you pay a monthly fee to in exchange for routing your internet traffic securely through their public servers. There are many other forms of VPN, such as ones you host yourself or ones operated by workplaces which allow you to securely connect to internal/employee network resources, however, these VPNs are usually designed for accessing remote networks securely, rather than protecting the privacy of your internet connection.
|
||||
|
||||
|
||||
## How does a VPN work?
|
||||
@@ -70,7 +70,7 @@ You should not use that feature: The primary advantage of using Tor is that you
|
||||
|
||||
Currently, Tor only supports the TCP protocol. UDP (used by [WebRTC](https://en.wikipedia.org/wiki/WebRTC), [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3), and other protocols), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol), and other packets will be dropped. To compensate for this, VPN providers typically will route all non-TCP packets through their VPN server (your first hop). This is the case with [ProtonVPN](https://protonvpn.com/support/tor-vpn). Additionally, when using this Tor over VPN setup, you do not have control over other important Tor features such as [Isolated Destination Address](https://whonix.org/wiki/Stream_Isolation) (using a different Tor circuit for every domain you visit).
|
||||
|
||||
The feature should be viewed as a *convenient* way to access hidden services on Tor, not to stay anonymous. For proper anonymity, use the actual [Tor Browser](../../tools/software/tor/_index.md).
|
||||
The feature should be viewed as a *convenient* way to access hidden services on Tor, not to stay anonymous. For proper anonymity, use the actual [Tor Browser](../../../tools/software/tor/_index.md).
|
||||
|
||||
## Commercial VPN Ownership
|
||||
|
||||
@@ -78,7 +78,7 @@ Most VPN services are owned by the same [few companies](https://vpnpro.com/blog/
|
||||
|
||||
You should also be wary that many VPN review sites are merely advertising vehicles open to the highest bidder. <mark>Privacy Guides does not make money from recommending external products, and never uses affiliate programs.</mark>
|
||||
|
||||
[Our VPN Recommendations](../../tools/services/vpn/_index.md){ .md-button }
|
||||
[Our VPN Recommendations](../../../tools/services/vpn/_index.md){ .md-button }
|
||||
|
||||
## Modern VPN Alternatives
|
||||
|
||||
|
||||
@@ -26,11 +26,11 @@ Many people get the concepts of **privacy**, **security**, and **anonymity** con
|
||||
<!-- markdownlint-disable-next-line -->
|
||||
**Anonymity**
|
||||
|
||||
: Anonymity is the ability to act without a persistent identifier. You might achieve this online with [Tor](../../tools/software/tor/_index.md), which allows you to browse the internet with a random IP address and network connection instead of your own.
|
||||
: Anonymity is the ability to act without a persistent identifier. You might achieve this online with [Tor](../../../tools/software/tor/_index.md), which allows you to browse the internet with a random IP address and network connection instead of your own.
|
||||
|
||||
: **Pseudonymity** is a similar concept, but it allows you to have a persistent identifier without it being tied to your real identity. If everybody knows you as `@GamerGuy12` online, but nobody knows your real name, that is your pseudonym.
|
||||
|
||||
All of these concepts overlap, but it is possible to have any combination of these. The sweet spot for most people is when all three of these concepts overlap. However, it's trickier to achieve than many initially believe. Sometimes, you have to compromise on some of these, and that's okay too. This is where **threat modeling** comes into play, allowing you to make informed decisions about the [software and services](../../tools/_index.md) you use.
|
||||
All of these concepts overlap, but it is possible to have any combination of these. The sweet spot for most people is when all three of these concepts overlap. However, it's trickier to achieve than many initially believe. Sometimes, you have to compromise on some of these, and that's okay too. This is where **threat modeling** comes into play, allowing you to make informed decisions about the [software and services](../../../tools/_index.md) you use.
|
||||
|
||||
[:material-book-outline: Learn More About Threat Modeling](../threat-modeling/_index.md){ .md-button }
|
||||
|
||||
@@ -48,7 +48,7 @@ Take cookie consent forms, for example. You may encounter these dozens of times
|
||||
|
||||
<mark>Control over your privacy inside most apps is an illusion.</mark> It's a shiny dashboard with all sorts of choices you can make about your data, but rarely the choices you're looking for, like "only use my data to help me." This type of control is meant to make you feel guilty about your choices, that you "had the choice" to make the apps you use more private, and you chose not to.
|
||||
|
||||
Privacy is something we need to have baked into the [software and services](../../tools/_index.md) we use by default, you can't bend most apps into being private on your own.
|
||||
Privacy is something we need to have baked into the [software and services](../../../tools/_index.md) we use by default, you can't bend most apps into being private on your own.
|
||||
|
||||
[:material-movie-open-play-outline: Video: 5 Steps to Improve Your Privacy](https://www.privacyguides.org/videos/2025/02/14/5-easy-steps-to-protect-yourself-online){ class="md-button" }
|
||||
|
||||
|
||||
Reference in New Issue
Block a user