diff --git a/.github/actions/build/action.yml b/.github/actions/build/action.yml deleted file mode 100644 index 1d59b8f8..00000000 --- a/.github/actions/build/action.yml +++ /dev/null @@ -1,11 +0,0 @@ -name: 'Build' -description: 'Builds Jekyll Site' -runs: - using: "composite" - steps: - - shell: bash - run: | - sed -i "s/^ date:.*$/ date: $(TZ=UTC date "+%Y-%m-%d")/" _config.yml - sed -i "s/^ time:.*$/ time: $(TZ=UTC date "+%H:%M:%S %Z")/" _config.yml - - shell: bash - run: npm run build diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 00000000..7c34fa7d --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,53 @@ +name: Build Website +on: + pull_request: + branches: + - main + +env: + PYTHON_VERSION: 3.x + +jobs: + build: + name: Build website + runs-on: ubuntu-latest + steps: + + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Set up Python runtime + uses: actions/setup-python@v3 + with: + python-version: ${{ env.PYTHON_VERSION }} + + - name: Cache files + uses: actions/cache@v2 + with: + key: ${{ github.ref }} + path: .cache + + - name: Install Python dependencies + run: | + pip install 'mkdocs>=1.3.0' + + - name: Install mkdocs-material Insiders build + if: github.event.repository.fork == false + env: + GH_TOKEN: ${{ secrets.GH_TOKEN }} + run: | + git clone --depth 1 https://${GH_TOKEN}@github.com/squidfunk/mkdocs-material-insiders.git + pip install -e mkdocs-material-insiders + + - name: Build website + run: | + mkdocs build --config-file mkdocs.production.yml + mv .well-known site/ + tar cvf site.tar site + mkdocs --version + + - name: Package website + uses: actions/upload-artifact@v2 + with: + name: generated-site + path: site.tar diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml new file mode 100644 index 00000000..07344de2 --- /dev/null +++ b/.github/workflows/deploy.yml @@ -0,0 +1,73 @@ +name: Deploy Website +on: + push: + branches: + - main + +env: + PYTHON_VERSION: 3.x + +jobs: + build: + name: Build website + runs-on: ubuntu-latest + steps: + + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Set up Python runtime + uses: actions/setup-python@v3 + with: + python-version: ${{ env.PYTHON_VERSION }} + + - name: Cache files + uses: actions/cache@v2 + with: + key: ${{ github.ref }} + path: .cache + + - name: Install Python dependencies + run: | + pip install 'mkdocs>=1.3.0' + + - name: Install mkdocs-material Insiders build + if: github.event.repository.fork == false + env: + GH_TOKEN: ${{ secrets.GH_TOKEN }} + run: | + git clone --depth 1 https://${GH_TOKEN}@github.com/squidfunk/mkdocs-material-insiders.git + pip install -e mkdocs-material-insiders + + - name: Build website + run: | + mkdocs build --config-file mkdocs.production.yml + mv .well-known site/ + tar cvf site.tar site + mkdocs --version + + - name: Package website + uses: actions/upload-artifact@v2 + with: + name: generated-site + path: site.tar + + deploy: + name: Rsync Deploy + runs-on: ubuntu-latest + environment: production + needs: build + + steps: + - name: Download generated Jekyll site + uses: actions/download-artifact@v2 + with: + name: generated-site + - run: tar xvf site.tar + - name: Copy built site to production + run: | + mkdir -p ~/.ssh + echo "${{ secrets.SSH_KEY }}" > ~/.ssh/id_rsa + chmod 700 ~/.ssh/id_rsa + ssh-keyscan -H ${{ secrets.SSH_HOST }} >> ~/.ssh/known_hosts + rsync -azP --delete site/ ${{ secrets.SSH_USERNAME }}@${{ secrets.SSH_HOST }}:${{ secrets.SSH_PATH }} diff --git a/.github/workflows/production.yml b/.github/workflows/production.yml deleted file mode 100644 index 49e386ca..00000000 --- a/.github/workflows/production.yml +++ /dev/null @@ -1,62 +0,0 @@ -name: Production Deploy -concurrency: - group: Production - cancel-in-progress: true - -on: - push: - branches: [ main ] - -env: - FONTAWESOME_NPM_AUTH_TOKEN: ${{ secrets.FONTAWESOME_NPM_AUTH_TOKEN }} - -jobs: - build: - name: Jekyll Build - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v3 - - uses: ruby/setup-ruby@v1 - with: - bundler-cache: true - - uses: actions/setup-node@v3 - with: - node-version: '14' - - name: Cache Jekyll build - uses: actions/cache@v3 - with: - path: | - .jekyll-cache - .sass-cache - key: ${{ runner.os }}-jekyll-${{ hashFiles('**/*.??m[ld]') }} - - name: Install dependencies - run: npm install - - name: Build website - uses: ./.github/actions/build - - run: tar cvf site.tar _site - - name: Upload generated Jekyll site - uses: actions/upload-artifact@v2 - with: - name: generated-site - path: site.tar - - deploy: - name: Rsync Deploy - runs-on: ubuntu-latest - environment: production - needs: build - - steps: - - name: Download generated Jekyll site - uses: actions/download-artifact@v2 - with: - name: generated-site - - run: tar xvf site.tar - - name: Copy built site to production - run: | - mkdir -p ~/.ssh - echo "${{ secrets.SSH_KEY }}" > ~/.ssh/id_rsa - chmod 700 ~/.ssh/id_rsa - ssh-keyscan -H ${{ secrets.SSH_HOST }} >> ~/.ssh/known_hosts - rsync -azP --delete _site/ ${{ secrets.SSH_USERNAME }}@${{ secrets.SSH_HOST }}:${{ secrets.SSH_PATH }} diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml deleted file mode 100644 index 5c95dbf4..00000000 --- a/.github/workflows/tests.yml +++ /dev/null @@ -1,238 +0,0 @@ -name: Code tests - -on: - push: - branches: - - main - pull_request: - branches: - - main - -env: - FONTAWESOME_NPM_AUTH_TOKEN: ${{ secrets.FONTAWESOME_NPM_AUTH_TOKEN }} - -jobs: - deps: - name: "Dependency Install" - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v3 - - name: Cache node modules - uses: actions/cache@v3 - with: - path: ~/.npm - key: ${{ runner.os }}-npm-${{ hashFiles('**/package-lock.json') }} - restore-keys: | - ${{ runner.os }}-npm- - - uses: actions/setup-node@v3 - with: - node-version: '14' - - run: npm install - - run: tar cvf node_modules.tar node_modules - - name: Upload node_modules for Jekyll build - uses: actions/upload-artifact@v2 - with: - name: node_modules - path: node_modules.tar - - build: - name: "Jekyll Build" - runs-on: ubuntu-latest - needs: deps - - steps: - - uses: actions/checkout@v3 - - uses: ruby/setup-ruby@v1 - with: - bundler-cache: true - - uses: actions/setup-node@v3 - with: - node-version: '14' - - name: Cache Jekyll build - uses: actions/cache@v3 - with: - path: | - .jekyll-cache - .sass-cache - key: ${{ runner.os }}-jekyll-${{ hashFiles('**/*.??m[ld]') }} - restore-keys: | - ${{ runner.os }}-jekyll- - - name: Set Date and Time - run: | - sed -i "s/^ date:.*$/ date: $(TZ=UTC date "+%Y-%m-%d")/" _config.yml - sed -i "s/^ time:.*$/ time: $(TZ=UTC date "+%H:%M:%S %Z")/" _config.yml - - name: Download node_modules - uses: actions/download-artifact@v2 - with: - name: node_modules - - run: tar xvf node_modules.tar - - name: Generate Website - run: npm run build - - run: tar cvf site.tar _site - - name: Upload generated Jekyll site - uses: actions/upload-artifact@v2 - with: - name: generated-site - path: site.tar - - link: - name: "Broken Hyperlinks (Internal)" - runs-on: ubuntu-latest - needs: build - - steps: - - uses: actions/checkout@v3 - - name: Download generated Jekyll site - uses: actions/download-artifact@v2 - with: - name: generated-site - - run: tar xvf site.tar - - name: Copy built site to production - run: | - mv ${{ github.workspace }}/_site /tmp/ - mkdir -p /tmp/src - mv ${{ github.workspace }}/* /tmp/src/ - mkdir -p ${{ github.workspace }}/src - mv /tmp/src/* ${{ github.workspace }}/src/ - mv /tmp/_site ${{ github.workspace }}/ - - name: Internal link checker - uses: untitaker/hyperlink@0.1.21 - with: - args: _site/ --sources src/ - - extlink: - name: "Broken Hyperlinks (External)" - runs-on: ubuntu-latest - needs: [build, link] - - steps: - - uses: actions/checkout@v3 - - name: Download generated Jekyll site - uses: actions/download-artifact@v2 - with: - name: generated-site - - run: tar xvf site.tar - - name: Cache HTMLProofer - id: cache-htmlproofer - uses: actions/cache@v3 - with: - path: tmp/.htmlproofer - key: ${{ runner.os }}-htmlproofer-${{ hashFiles('_site/**.html') }} - restore-keys: | - ${{ runner.os }}-htmlproofer- - ${{ runner.os }}-htmlproofer - - name: Check External Links (Informational, Soft-Fail) - uses: chabad360/htmlproofer@v1.1 - with: - directory: ${{ github.workspace }}/_site - arguments: --assume-extension --external_only --internal-domains privacyguides.org,www.privacyguides.org --timeframe 30d --url-ignore '/https:\/\/developers\.cloudflare\.com\//,/https:\/\/github\.com\/privacyguides\/privacyguides\.org\/(edit|tree|blob)\/main/,/https:\/\/support\.(startmail|yubico)\.com\//' - continue-on-error: true - - https: - name: "Require HTTPS Internal Images" - runs-on: ubuntu-latest - needs: build - - steps: - - uses: actions/checkout@v3 - - name: Download generated Jekyll site - uses: actions/download-artifact@v2 - with: - name: generated-site - - run: tar xvf site.tar - - name: Check Images - uses: chabad360/htmlproofer@v1.1 - with: - directory: ${{ github.workspace }}/_site - arguments: --assume-extension --check-img-http --internal-domains privacyguides.org,www.privacyguides.org --disable-external --checks-to-ignore LinkCheck,ScriptCheck - - scripts: - name: "Script Reference Checks" - runs-on: ubuntu-latest - needs: [build, link] - - steps: - - uses: actions/checkout@v3 - - name: Download generated Jekyll site - uses: actions/download-artifact@v2 - with: - name: generated-site - - run: tar xvf site.tar - - name: Check HTML - uses: chabad360/htmlproofer@v1.1 - with: - directory: ${{ github.workspace }}/_site - arguments: --assume-extension --check-html --disable-external --check-sri --report-script-embeds --internal-domains privacyguides.org,www.privacyguides.org --checks-to-ignore LinkCheck,ImageCheck,HtmlCheck - - tags: - name: "HTML Tag Test" - runs-on: ubuntu-latest - needs: build - - steps: - - uses: actions/checkout@v3 - - name: Download generated Jekyll site - uses: actions/download-artifact@v2 - with: - name: generated-site - - run: tar xvf site.tar - - name: Validate HTML - uses: chabad360/htmlproofer@v1.1 - with: - directory: ${{ github.workspace }}/_site - arguments: --assume-extension --check-html --disable-external --allow-hash-href --internal-domains privacyguides.org,www.privacyguides.org --report-invalid-tags --report-eof-tags --report-mismatched-tags --checks-to-ignore LinkCheck,ImageCheck,ScriptCheck - - entity: - name: "HTML Entity Names Test" - runs-on: ubuntu-latest - needs: build - - steps: - - uses: actions/checkout@v3 - - name: Download generated Jekyll site - uses: actions/download-artifact@v2 - with: - name: generated-site - - run: tar xvf site.tar - - name: Validate HTML - uses: chabad360/htmlproofer@v1.1 - with: - directory: ${{ github.workspace }}/_site - arguments: --assume-extension --check-html --disable-external --allow-hash-href --internal-domains privacyguides.org,www.privacyguides.org --report-missing-names --checks-to-ignore LinkCheck,ImageCheck,ScriptCheck - - misc: - name: "Misc HTML Test" - runs-on: ubuntu-latest - needs: build - - steps: - - uses: actions/checkout@v3 - - name: Download generated Jekyll site - uses: actions/download-artifact@v2 - with: - name: generated-site - - run: tar xvf site.tar - - name: Validate HTML - uses: chabad360/htmlproofer@v1.1 - with: - directory: ${{ github.workspace }}/_site - arguments: --assume-extension --check-html --disable-external --internal-domains privacyguides.org,www.privacyguides.org --report-missing-doctype --checks-to-ignore LinkCheck,ImageCheck,ScriptCheck - - opengraph: - name: "OpenGraph Test" - runs-on: ubuntu-latest - needs: build - - steps: - - uses: actions/checkout@v3 - - name: Download generated Jekyll site - uses: actions/download-artifact@v2 - with: - name: generated-site - - run: tar xvf site.tar - - name: Check OpenGraph - uses: chabad360/htmlproofer@v1.1 - with: - directory: ${{ github.workspace }}/_site - arguments: --assume-extension --disable-external --check-opengraph --checks-to-ignore LinkCheck,ImageCheck,ScriptCheck diff --git a/.gitignore b/.gitignore index f34d9b03..8033e4fd 100644 --- a/.gitignore +++ b/.gitignore @@ -1,13 +1,2 @@ -_site/ -.sass-cache/ -.jekyll-metadata -.DS_Store -font/assets/ -font/_sass/ -font/.fontcustom-manifest.json -assets/webfonts/ptio-font-preview.html -vendor -node_modules -.bundle -.jekyll-cache -.nova +site +.cache diff --git a/.npmrc b/.npmrc deleted file mode 100644 index 52d5ff04..00000000 --- a/.npmrc +++ /dev/null @@ -1,2 +0,0 @@ -@fortawesome:registry=https://npm.fontawesome.com/ -//npm.fontawesome.com/:_authToken=${FONTAWESOME_NPM_AUTH_TOKEN} diff --git a/.ruby-version b/.ruby-version deleted file mode 100644 index 4a36342f..00000000 --- a/.ruby-version +++ /dev/null @@ -1 +0,0 @@ -3.0.0 diff --git a/404.html b/404.html deleted file mode 100644 index cc82e627..00000000 --- a/404.html +++ /dev/null @@ -1,21 +0,0 @@ ---- -layout: default ---- - -
-
-

404

-

We couldn't find that :(

-

Maybe you were looking for one of these pages?

-
-
- -
-
-
-
-

If you believe you reached this page in error, please contact us!

-
-
diff --git a/Gemfile b/Gemfile deleted file mode 100644 index eee557ee..00000000 --- a/Gemfile +++ /dev/null @@ -1,20 +0,0 @@ -source "https://rubygems.org" - -gem "jekyll", "~> 4.2" - -group :jekyll_plugins do - gem "jekyll-feed", "~> 0.16" - gem "jekyll-brotli", "~> 2.3" - gem "jekyll-sitemap", "~> 1.4" -end - -# Jekyll 3.9.0 now requires this explicitly installed, apparently -gem "kramdown-parser-gfm", "~> 1.1" -gem "webrick", "~> 1.7" -gem 'eventmachine', '1.3.0.dev.1', git: 'https://github.com/eventmachine/eventmachine', branch: 'master' - -# Windows does not include zoneinfo files, so bundle the tzinfo-data gem -gem "tzinfo-data", platforms: [:mingw, :mswin, :x64_mingw, :jruby] - -# Performance-booster for watching directories on Windows -gem "wdm", "~> 0.1.0" if Gem.win_platform? diff --git a/Gemfile.lock b/Gemfile.lock deleted file mode 100644 index 064f0802..00000000 --- a/Gemfile.lock +++ /dev/null @@ -1,89 +0,0 @@ -GIT - remote: https://github.com/eventmachine/eventmachine - revision: df4ab0068e5e9f504096584093a74510d0dac6c8 - branch: master - specs: - eventmachine (1.3.0.dev.1) - -GEM - remote: https://rubygems.org/ - specs: - addressable (2.8.0) - public_suffix (>= 2.0.2, < 5.0) - brotli (0.2.3) - colorator (1.1.0) - concurrent-ruby (1.1.9) - em-websocket (0.5.3) - eventmachine (>= 0.12.9) - http_parser.rb (~> 0) - ffi (1.15.5) - forwardable-extended (2.6.0) - http_parser.rb (0.8.0) - i18n (1.10.0) - concurrent-ruby (~> 1.0) - jekyll (4.2.2) - addressable (~> 2.4) - colorator (~> 1.0) - em-websocket (~> 0.5) - i18n (~> 1.0) - jekyll-sass-converter (~> 2.0) - jekyll-watch (~> 2.0) - kramdown (~> 2.3) - kramdown-parser-gfm (~> 1.0) - liquid (~> 4.0) - mercenary (~> 0.4.0) - pathutil (~> 0.9) - rouge (~> 3.0) - safe_yaml (~> 1.0) - terminal-table (~> 2.0) - jekyll-brotli (2.3.0) - brotli (~> 0.2.0) - jekyll (>= 3.0, < 5.0) - jekyll-feed (0.16.0) - jekyll (>= 3.7, < 5.0) - jekyll-sass-converter (2.2.0) - sassc (> 2.0.1, < 3.0) - jekyll-sitemap (1.4.0) - jekyll (>= 3.7, < 5.0) - jekyll-watch (2.2.1) - listen (~> 3.0) - kramdown (2.3.1) - rexml - kramdown-parser-gfm (1.1.0) - kramdown (~> 2.0) - liquid (4.0.3) - listen (3.7.1) - rb-fsevent (~> 0.10, >= 0.10.3) - rb-inotify (~> 0.9, >= 0.9.10) - mercenary (0.4.0) - pathutil (0.16.2) - forwardable-extended (~> 2.6) - public_suffix (4.0.6) - rb-fsevent (0.11.1) - rb-inotify (0.10.1) - ffi (~> 1.0) - rexml (3.2.5) - rouge (3.28.0) - safe_yaml (1.0.5) - sassc (2.4.0) - ffi (~> 1.9) - terminal-table (2.0.0) - unicode-display_width (~> 1.1, >= 1.1.1) - unicode-display_width (1.8.0) - webrick (1.7.0) - -PLATFORMS - ruby - -DEPENDENCIES - eventmachine (= 1.3.0.dev.1)! - jekyll (~> 4.2) - jekyll-brotli (~> 2.3) - jekyll-feed (~> 0.16) - jekyll-sitemap (~> 1.4) - kramdown-parser-gfm (~> 1.1) - tzinfo-data - webrick (~> 1.7) - -BUNDLED WITH - 2.2.5 diff --git a/README.md b/README.md index c24b2e51..96a8c6b4 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@
- Privacy Guides + Privacy Guides

Your central privacy and security resource to protect yourself online.

@@ -44,17 +44,7 @@ ## Developing -1. Install the version of [Ruby](https://www.ruby-lang.org/en/downloads/) currently specified by [`.ruby-version`](.ruby-version) - * With [rbenv](https://github.com/rbenv/rbenv) (**recommended!**): `rbenv install` - * With [RVM](https://rvm.io): `rvm install "ruby-$(cat .ruby-version)"` - * [Manually](https://www.ruby-lang.org/en/downloads/) -1. Install node.js and npm -1. Install [Bundler](https://bundler.io/) v2.2.5: - * `gem install bundler:2.2.5` -1. Install the required dependencies: - * `bundle install` - * `npm install` -1. Build the website (the output can be found in the `_site` directory): - * `npm run build` -1. Serve the website locally with live reloading: - * `npm run serve` +1. [Install mkdocs](https://www.mkdocs.org/user-guide/installation/): `pip install mkdocs` +2. [Install mkdocs-material](https://squidfunk.github.io/mkdocs-material/getting-started/): `pip install mkdocs-material` +3. Serve the site locally: `mkdocs serve` + - The site will be available at `http://localhost:8000/`. diff --git a/_config.yml b/_config.yml deleted file mode 100644 index f17f3676..00000000 --- a/_config.yml +++ /dev/null @@ -1,36 +0,0 @@ -title: Privacy Guides -email: jonah@privacyguides.org -description: >- # this means to ignore newlines until "baseurl:" - Massive organizations are monitoring your online activities. - Privacy Guides is your central privacy and security resource to protect yourself online. -baseurl: "" # the subpath of your site, e.g. /blog -url: "https://www.privacyguides.org" # the base hostname & protocol for your site, e.g. http://example.com -sass: - sass_dir: _sass -permalink: pretty -excerpt_separator: -collections_dir: collections -collections: - evergreen: - output: true - permalink: /:slug/ - pages: - output: true - permalink: /:path/ - posts: - permalink: /blog/:year/:month/:day/:title/ - people: - permalink: /blog/authors/:path/ - -build: - date: - time: - -kramdown: - auto_ids: true - -# Build settings -plugins: - - jekyll-brotli - - jekyll-sitemap -exclude: [privacytools.io/] diff --git a/_data/country.yml b/_data/country.yml deleted file mode 100644 index 38550359..00000000 --- a/_data/country.yml +++ /dev/null @@ -1,249 +0,0 @@ -AF: Afghanistan -AX: 'Åland Islands' -AL: Albania -DZ: Algeria -AS: 'American Samoa' -AD: Andorra -AO: Angola -AI: Anguilla -AQ: Antarctica -AG: 'Antigua & Barbuda' -AR: Argentina -AM: Armenia -AW: Aruba -AU: Australia -AT: Austria -AZ: Azerbaijan -BS: Bahamas -BH: Bahrain -BD: Bangladesh -BB: Barbados -BY: Belarus -BE: Belgium -BZ: Belize -BJ: Benin -BM: Bermuda -BT: Bhutan -BO: Bolivia -BA: 'Bosnia & Herzegovina' -BW: Botswana -BV: 'Bouvet Island' -BR: Brazil -IO: 'British Indian Ocean Territory' -VG: 'British Virgin Islands' -BN: Brunei -BG: Bulgaria -BF: 'Burkina Faso' -BI: Burundi -KH: Cambodia -CM: Cameroon -CA: Canada -CV: 'Cape Verde' -BQ: 'Caribbean Netherlands' -KY: 'Cayman Islands' -CF: 'Central African Republic' -TD: Chad -CL: Chile -CN: China -CX: 'Christmas Island' -CC: 'Cocos (Keeling) Islands' -CO: Colombia -KM: Comoros -CG: 'Congo - Brazzaville' -CD: 'Congo - Kinshasa' -CK: 'Cook Islands' -CR: 'Costa Rica' -CI: 'Côte d’Ivoire' -HR: Croatia -CU: Cuba -CW: Curaçao -CY: Cyprus -CZ: Czechia -DK: Denmark -DJ: Djibouti -DM: Dominica -DO: 'Dominican Republic' -EC: Ecuador -EG: Egypt -SV: 'El Salvador' -GQ: 'Equatorial Guinea' -ER: Eritrea -EE: Estonia -SZ: Eswatini -ET: Ethiopia -FK: 'Falkland Islands' -FO: 'Faroe Islands' -FJ: Fiji -FI: Finland -FR: France -GF: 'French Guiana' -PF: 'French Polynesia' -TF: 'French Southern Territories' -GA: Gabon -GM: Gambia -GE: Georgia -DE: Germany -GH: Ghana -GI: Gibraltar -GR: Greece -GL: Greenland -GD: Grenada -GP: Guadeloupe -GU: Guam -GT: Guatemala -GG: Guernsey -GN: Guinea -GW: Guinea-Bissau -GY: Guyana -HT: Haiti -HM: 'Heard & McDonald Islands' -HN: Honduras -HK: 'Hong Kong SAR China' -HU: Hungary -IS: Iceland -IN: India -ID: Indonesia -IR: Iran -IQ: Iraq -IE: Ireland -IM: 'Isle of Man' -IL: Israel -IT: Italy -JM: Jamaica -JP: Japan -JE: Jersey -JO: Jordan -KZ: Kazakhstan -KE: Kenya -KI: Kiribati -KW: Kuwait -KG: Kyrgyzstan -LA: Laos -LV: Latvia -LB: Lebanon -LS: Lesotho -LR: Liberia -LY: Libya -LI: Liechtenstein -LT: Lithuania -LU: Luxembourg -MO: 'Macao SAR China' -MG: Madagascar -MW: Malawi -MY: Malaysia -MV: Maldives -ML: Mali -MT: Malta -MH: 'Marshall Islands' -MQ: Martinique -MR: Mauritania -MU: Mauritius -YT: Mayotte -MX: Mexico -FM: Micronesia -MD: Moldova -MC: Monaco -MN: Mongolia -ME: Montenegro -MS: Montserrat -MA: Morocco -MZ: Mozambique -MM: 'Myanmar (Burma)' -NA: Namibia -NR: Nauru -NP: Nepal -NL: Netherlands -NC: 'New Caledonia' -NZ: 'New Zealand' -NI: Nicaragua -NE: Niger -NG: Nigeria -NU: Niue -NF: 'Norfolk Island' -KP: 'North Korea' -MK: 'North Macedonia' -MP: 'Northern Mariana Islands' -'NO': Norway -OM: Oman -PK: Pakistan -PW: Palau -PS: 'Palestinian Territories' -PA: Panama -PG: 'Papua New Guinea' -PY: Paraguay -PE: Peru -PH: Philippines -PN: 'Pitcairn Islands' -PL: Poland -PT: Portugal -PR: 'Puerto Rico' -QA: Qatar -RE: Réunion -RO: Romania -RU: Russia -RW: Rwanda -WS: Samoa -SM: 'San Marino' -ST: 'São Tomé & Príncipe' -SA: 'Saudi Arabia' -SN: Senegal -RS: Serbia -SC: Seychelles -SL: 'Sierra Leone' -SG: Singapore -SX: 'Sint Maarten' -SK: Slovakia -SI: Slovenia -SB: 'Solomon Islands' -SO: Somalia -ZA: 'South Africa' -GS: 'South Georgia & South Sandwich Islands' -KR: 'South Korea' -SS: 'South Sudan' -ES: Spain -LK: 'Sri Lanka' -BL: 'St. Barthélemy' -SH: 'St. Helena' -KN: 'St. Kitts & Nevis' -LC: 'St. Lucia' -MF: 'St. Martin' -PM: 'St. Pierre & Miquelon' -VC: 'St. Vincent & Grenadines' -SD: Sudan -SR: Suriname -SJ: 'Svalbard & Jan Mayen' -SE: Sweden -CH: Switzerland -SY: Syria -TW: Taiwan -TJ: Tajikistan -TZ: Tanzania -TH: Thailand -TL: Timor-Leste -TG: Togo -TK: Tokelau -TO: Tonga -TT: 'Trinidad & Tobago' -TN: Tunisia -TR: Turkey -TM: Turkmenistan -TC: 'Turks & Caicos Islands' -TV: Tuvalu -UM: 'U.S. Outlying Islands' -VI: 'U.S. Virgin Islands' -UG: Uganda -UA: Ukraine -AE: 'United Arab Emirates' -GB: 'United Kingdom' -US: 'United States' -UY: Uruguay -UZ: Uzbekistan -VU: Vanuatu -VA: 'Vatican City' -VE: Venezuela -VN: Vietnam -WF: 'Wallis & Futuna' -EH: 'Western Sahara' -YE: Yemen -ZM: Zambia -ZW: Zimbabwe diff --git a/_data/dns/adguard.yml b/_data/dns/adguard.yml deleted file mode 100644 index 867c5099..00000000 --- a/_data/dns/adguard.yml +++ /dev/null @@ -1,23 +0,0 @@ -title: AdGuard -homepage: 'https://adguard.com/en/adguard-dns/overview.html' -source: 'https://github.com/AdguardTeam/AdGuardDNS/' -privacy_policy: - link: 'https://adguard.com/en/privacy/dns.html' -type: - name: Commercial -logs: - policy: true - text: Some - link: 'https://adguard.com/en/privacy/dns.html' - tooltip: >- - We store aggregated performance metrics of our DNS server, namely the number of complete requests to a particular server, the number of blocked requests, the speed of processing requests. - We keep and store the database of domains requested in the last 24 hours. We need this information to identify and block new trackers and threats. - We also log how many times this or that tracker has been blocked. We need this information to remove outdated rules from our filters. -protocols: - - name: Cleartext - - name: DoH - - name: DoT - - name: DNSCrypt -ecs: - status: false -filtering: Based on server choice. Filter list being used can be found here. \ No newline at end of file diff --git a/_data/dns/cloudflare.yml b/_data/dns/cloudflare.yml deleted file mode 100644 index fb62f66e..00000000 --- a/_data/dns/cloudflare.yml +++ /dev/null @@ -1,21 +0,0 @@ -title: Cloudflare -homepage: 'https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/' -privacy_policy: - link: 'https://www.cloudflare.com/privacypolicy/' -type: - name: Commercial -logs: - policy: true - text: Some - link: 'https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/' - tooltip: >- - "Cloudflare collects and stores only the limited DNS query data that is sent to the 1.1.1.1 resolver. - The 1.1.1.1 resolver service does not log personal data, - and the bulk of the limited non-personally identifiable query data is only stored for 25 hours." -protocols: - - name: Cleartext - - name: DoH - - name: DoT -ecs: - status: false -filtering: Based on server choice. \ No newline at end of file diff --git a/_data/dns/controld.yml b/_data/dns/controld.yml deleted file mode 100644 index 39030aba..00000000 --- a/_data/dns/controld.yml +++ /dev/null @@ -1,19 +0,0 @@ -title: ControlD -homepage: 'https://controld.com/' -privacy_policy: - link: 'https://controld.com/privacy' -type: - name: Commercial -logs: - policy: true - text: Optional - tooltip: >- - Neither free nor premium service have logging enabled by default. Premium users can enable logging/analytics at will. - color: info -protocols: - - name: Cleartext - - name: DoH - - name: DoT -ecs: - status: false -filtering: Based on server choice \ No newline at end of file diff --git a/_data/dns/mullvad.yml b/_data/dns/mullvad.yml deleted file mode 100644 index aa573d14..00000000 --- a/_data/dns/mullvad.yml +++ /dev/null @@ -1,17 +0,0 @@ -title: MullvadDNS -homepage: 'https://mullvad.net/en/help/dns-over-https-and-dns-over-tls/' -source: 'https://github.com/mullvad/dns-adblock' -privacy_policy: - link: 'https://mullvad.net/en/help/privacy-policy/' - tooltip: >- - "Our public DNS service offers DNS over HTTPS (DoH) and DNS over TLS (DoT), with QNAME minimization and basic ad blocking. It has been audited by the security experts at Assured. You can use this privacy-enhancing service even if you don't use Mullvad." -type: - name: Commercial -logs: - policy: false -protocols: - - name: DoH - - name: DoT -ecs: - status: false -filtering: Based on server choice. Filter list being used can be found here. \ No newline at end of file diff --git a/_data/dns/nextdns.yml b/_data/dns/nextdns.yml deleted file mode 100644 index b458e508..00000000 --- a/_data/dns/nextdns.yml +++ /dev/null @@ -1,22 +0,0 @@ -title: NextDNS -homepage: 'https://www.nextdns.io/' -privacy_policy: - link: 'https://www.nextdns.io/privacy' -type: - name: Commercial -logs: - policy: true - text: Optional - tooltip: >- - NextDNS can provide insights and logging features on an opt-in basis. - Users can choose retention times and log storage locations for any logs they choose to keep. - color: info -protocols: - - name: Cleartext - - name: DoH - - name: DoT - - name: DNSCrypt -ecs: - status: true - text: Optional -filtering: Based on server choice diff --git a/_data/dns/quad9.yml b/_data/dns/quad9.yml deleted file mode 100644 index c7bd93d5..00000000 --- a/_data/dns/quad9.yml +++ /dev/null @@ -1,17 +0,0 @@ -title: Quad9 -homepage: 'https://quad9.net/' -privacy_policy: - link: 'https://quad9.net/service/privacy' -type: - name: Non-Profit -logs: - policy: false -protocols: - - name: Cleartext - - name: DoH - - name: DoT - - name: DNSCrypt -ecs: - status: true - text: Optional -filtering: Based on server choice, Malware blocking by default diff --git a/_data/nav/1_providers.yml b/_data/nav/1_providers.yml deleted file mode 100644 index 948d9fd3..00000000 --- a/_data/nav/1_providers.yml +++ /dev/null @@ -1,31 +0,0 @@ -type: dropdown -title: Providers -items: - - type: link - title: Cloud Storage - icon: fad fa-cloud - file: _evergreen/cloud.md - - type: link - title: DNS Servers - icon: fad fa-map-signs - file: _evergreen/dns.md - - type: link - title: Email Providers - icon: fad fa-envelope - file: legacy_pages/providers/email.html - - type: link - title: Search Engines - icon: fad fa-search-location - file: _evergreen/search-engines.md - - type: link - title: Social Networks - icon: fad fa-thumbs-up - file: legacy_pages/providers/social-networks.html - - type: link - title: Social News Aggregators - icon: fad fa-newspaper - file: legacy_pages/providers/social-news-aggregator.html - - type: link - title: VPN Services - icon: fad fa-network-wired - file: legacy_pages/providers/vpn.html diff --git a/_data/nav/2_software.yml b/_data/nav/2_software.yml deleted file mode 100644 index 906f36b2..00000000 --- a/_data/nav/2_software.yml +++ /dev/null @@ -1,52 +0,0 @@ -type: dropdown -title: Software -items: - - type: link - title: Browsers - icon: fad fa-browser - file: _evergreen/browsers.md - - type: divider - - type: link - title: Calendar/Contacts Sync Tools - icon: fad fa-calendar-day - file: legacy_pages/software/cal-card.html - - type: link - title: Digital Notebooks - icon: fad fa-edit - file: legacy_pages/software/notebooks.html - - type: link - title: Email Clients - icon: fad fa-envelope-open-text - file: legacy_pages/software/email.html - - type: link - title: File Encryption Tools - icon: fad fa-file-certificate - file: legacy_pages/software/file-encryption.html - - type: link - title: File Sharing and Sync - icon: fad fa-file-user - file: legacy_pages/software/file-sharing.html - - type: link - title: Metadata Removal Tools - icon: fad fa-file-times - file: legacy_pages/software/metadata-removal-tools.html - - type: link - title: Password Managers - icon: fad fa-user-lock - file: legacy_pages/software/passwords.html - - type: link - title: Productivity Tools - icon: fad fa-briefcase - file: legacy_pages/software/productivity.html - - type: link - title: Real-Time Communication - icon: fad fa-comments-alt - file: _evergreen/real-time-communication.md - - type: link - title: Self-Contained Networks - icon: fad fa-chart-network - file: legacy_pages/software/networks.html - - type: link - title: Video Streaming - icon: fad fa-video - file: _evergreen/video-streaming.md diff --git a/_data/nav/3_operating_systems.yml b/_data/nav/3_operating_systems.yml deleted file mode 100644 index cb36df23..00000000 --- a/_data/nav/3_operating_systems.yml +++ /dev/null @@ -1,19 +0,0 @@ -type: dropdown -title: Operating Systems -items: - - type: link - title: Android - icon: fab fa-android - file: _evergreen/android.md - - type: link - title: Linux Desktop - icon: fab fa-linux - file: _evergreen/linux-desktop.md - - type: link - title: Qubes OS - icon: pg-qubes - file: _evergreen/qubes.md - - type: link - title: Router - icon: fa-duotone fa-circle-nodes - file: _evergreen/router.md diff --git a/_data/nav/4_privacy.yml b/_data/nav/4_privacy.yml deleted file mode 100644 index 569291f4..00000000 --- a/_data/nav/4_privacy.yml +++ /dev/null @@ -1,7 +0,0 @@ -type: dropdown -title: Privacy -items: - - type: link - title: Threat Modeling - icon: fad fa-bullseye-arrow - file: _evergreen/threat-modeling.md diff --git a/_data/nav/5_blog.yml b/_data/nav/5_blog.yml deleted file mode 100644 index 7cc0e7d1..00000000 --- a/_data/nav/5_blog.yml +++ /dev/null @@ -1,3 +0,0 @@ -type: link -title: Blog -file: blog.html diff --git a/_data/operating-systems/android-applications/1_orbot.yml b/_data/operating-systems/android-applications/1_orbot.yml deleted file mode 100644 index f1c1c2fb..00000000 --- a/_data/operating-systems/android-applications/1_orbot.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: Orbot -type: Recommendation -logo: /assets/img/android/orbot.svg -description: | - **Orbot** is a free proxy app that routes your connections through the Tor Network. - - Orbot can proxy individual apps if they support SOCKS or HTTP proxying. It can also proxy all your network connections using [VpnService](https://developer.android.com/reference/android/net/VpnService) and can be used with the VPN killswitch (⚙️ Settings → Network & internet → VPN → ⚙️ → Block connections without VPN). - - For resistance against traffic analysis attacks, consider enabling *Isolate Destination Address* ( ⁝ →Settings → Connectivity). This will use a completely different Tor Circuit (different middle relay and exit nodes) for every domain you connect to. - - #### Notes - Orbot is often outdated on the Guardian Project's [F-Droid repository](https://guardianproject.info/fdroid) and [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) so consider downloading directly from the [GitHub repository](https://github.com/guardianproject/orbot) instead. - - All versions are signed using the same signature so they should be compatible with each other. -website: 'https://orbot.app/' -downloads: - - icon: pg-f-droid - url: 'https://guardianproject.info/fdroid' - - icon: fab fa-google-play - url: 'https://play.google.com/store/apps/details?id=org.torproject.android' - - icon: fab fa-github - url: 'https://github.com/guardianproject/orbot' - - icon: fab fa-gitlab - url: 'https://gitlab.com/guardianproject/orbot' diff --git a/_data/operating-systems/android-applications/2_shelter.yml b/_data/operating-systems/android-applications/2_shelter.yml deleted file mode 100644 index 6e388ffc..00000000 --- a/_data/operating-systems/android-applications/2_shelter.yml +++ /dev/null @@ -1,25 +0,0 @@ -title: Shelter -type: Recommendation -logo: /assets/img/android/shelter.svg -description: | - **Shelter** is an app that helps you leverage the Android work profile to isolate other apps. - - Shelter supports blocking contact search cross profiles and sharing files across profiles via the default file manager ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)). - - #### Notes - As CalyxOS includes a device controller, we recommend using their built in work profile instead. - - Shelter is recommended over [Insular](https://secure-system.gitlab.io/Insular/) and [Island](https://github.com/oasisfeng/island) as it supports [contact search blocking](https://secure-system.gitlab.io/Insular/faq.html). - - When using Shelter, you are placing complete trust in its developer as Shelter would be acting as a [Device Admin](https://developer.android.com/guide/topics/admin/device-admin) for the work profile and has extensive access to the data stored within it. - -website: 'https://gitea.angry.im/PeterCxy/Shelter' -downloads: - - icon: pg-f-droid - url: 'https://f-droid.org/en/packages/net.typeblog.shelter' - - icon: fab fa-google-play - url: 'https://play.google.com/store/apps/details?id=net.typeblog.shelter' - - icon: fab fa-github - url: 'https://github.com/PeterCxy/Shelter' - - icon: fab fa-git - url: 'https://gitea.angry.im/PeterCxy/Shelter' diff --git a/_data/operating-systems/android-applications/3_auditor.yml b/_data/operating-systems/android-applications/3_auditor.yml deleted file mode 100644 index 9c1b91a2..00000000 --- a/_data/operating-systems/android-applications/3_auditor.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: Auditor -type: Recommendation -logo: /assets/img/android/auditor.svg -logo_dark: /assets/img/android/auditor-dark.svg -description: | - **Auditor** is an app which leverages hardware security features to provide device integrity monitoring for [supported devices](https://attestation.app/about#device-support). It currently works with GrapheneOS and the stock operating system. It performs attestation and intrusion detection by: - - * Using a [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) model between an *auditor* and *auditee*, the pair establish a private key in the [hardware-backed keystore](https://source.android.com/security/keystore/) of the *Auditor*. - * The *auditor* can either be another instance of the Auditor app or the [Remote Attestation Service](https://attestation.app). - * The *auditor* records the current state and configuration of the *auditee*. - * Should tampering with the operating system of the *auditee* after the pairing is complete, the auditor will be aware of the change in the device state and configurations. - * The user will be alerted to the change. - - No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring. - - If your [threat model](/threat-modeling/) requires privacy you could consider using Orbot or a VPN to hide your IP address from the attestation service. - - To make sure that your hardware and operating system is genuine, [perform local attestation](https://grapheneos.org/install/web#verifying-installation) immediately after the device has been installed and prior to any internet connection. - -website: 'https://attestation.app' -privacy_policy: 'https://attestation.app/privacy-policy' -downloads: - - icon: fab fa-google-play - url: 'https://play.google.com/store/apps/details?id=app.attestation.auditor' - - icon: fab fa-github - url: 'https://github.com/GrapheneOS/Auditor' diff --git a/_data/operating-systems/android-applications/4_secure_camera.yml b/_data/operating-systems/android-applications/4_secure_camera.yml deleted file mode 100644 index 06467abe..00000000 --- a/_data/operating-systems/android-applications/4_secure_camera.yml +++ /dev/null @@ -1,23 +0,0 @@ -title: Secure Camera -type: Recommendation -logo: /assets/img/android/secure_camera.svg -logo_dark: /assets/img/android/secure_camera-dark.svg -description: | - **Secure Camera** is an camera app focused on privacy and security which can capture images, videos, and QR codes. CameraX vendor extensions (Portrait, HDR, Night Sight, Face Retouch, and Auto) are also supported on available devices. - - Main privacy features include - - Auto removal of [Exif](https://en.wikipedia.org/wiki/Exif) metadata (enabled by default) - - Use of the new [Media](https://developer.android.com/training/data-storage/shared/media) API, therefore [storage permissions](https://developer.android.com/training/data-storage) are not required - - Microphone permission not required unless you want to record sound - - ### Notes - Metadata is not currently deleted from video files but that is planned. - - The image orientation metadata is not deleted. If you enable location (in Secure Camera) that **won't** be deleted either. If you want to delete that later you will need to use an external app such as [Scrambled Exif](https://gitlab.com/juanitobananas/scrambled-exif/). - -website: 'https://github.com/GrapheneOS/Camera' -downloads: - - icon: fab fa-google-play - url: 'https://play.google.com/store/apps/details?id=app.grapheneos.camera.play' - - icon: fab fa-github - url: 'https://github.com/GrapheneOS/Camera/releases' diff --git a/_data/operating-systems/android-applications/5_secure_pdf_viewer.yml b/_data/operating-systems/android-applications/5_secure_pdf_viewer.yml deleted file mode 100644 index aa0588ae..00000000 --- a/_data/operating-systems/android-applications/5_secure_pdf_viewer.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: Secure PDF Viewer -type: Recommendation -logo: /assets/img/android/secure_pdf_viewer.svg -logo_dark: /assets/img/android/secure_pdf_viewer-dark.svg -description: | - **Secure PDF Viewer** is a PDF viewer based on [pdf.js](https://en.wikipedia.org/wiki/PDF.js) that doesn't require any permissions. The PDF is fed into a [sandboxed](https://en.wikipedia.org/wiki/Sandbox_(software_development)) [webview](https://developer.android.com/guide/webapps/webview). This means that it doesn't require permission directly to access content or files. - - [Content-Security-Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) is used to enforce that the JavaScript and styling properties within the WebView are entirely static content. - -website: 'https://github.com/GrapheneOS/PdfViewer' -downloads: - - icon: fab fa-google-play - url: 'https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play' - - icon: fab fa-github - url: 'https://github.com/GrapheneOS/PdfViewer/releases' diff --git a/_data/operating-systems/android-applications/6_privacyblur.yml b/_data/operating-systems/android-applications/6_privacyblur.yml deleted file mode 100644 index 538cbc67..00000000 --- a/_data/operating-systems/android-applications/6_privacyblur.yml +++ /dev/null @@ -1,16 +0,0 @@ -title: PrivacyBlur -type: Recommendation -logo: /assets/img/android/privacyblur.svg -description: | - **PrivacyBlur** is a free app which can blur sensitive portions of pictures before sharing them online. - - ### Notes - You should **never** use blur to redact [text in images](https://bishopfox.com/blog/unredacter-tool-never-pixelation). If you want to redact text in an image, draw a box over the text. For this we suggest [Pocket Paint](https://github.com/Catrobat/Paintroid) or [Imagepipe](https://codeberg.org/Starfish/Imagepipe). -website: 'https://privacyblur.app/' -downloads: - - icon: pg-f-droid - url: 'https://f-droid.org/en/packages/de.mathema.privacyblur/' - - icon: fab fa-google-play - url: 'https://play.google.com/store/apps/details?id=de.mathema.privacyblur' - - icon: fab fa-github - url: 'https://github.com/MATHEMA-GmbH/privacyblur' diff --git a/_data/operating-systems/android-fdroid/1_droid-ify.yml b/_data/operating-systems/android-fdroid/1_droid-ify.yml deleted file mode 100644 index 43c613e2..00000000 --- a/_data/operating-systems/android-fdroid/1_droid-ify.yml +++ /dev/null @@ -1,12 +0,0 @@ -title: Droid-ify -type: Recommendation -logo: /assets/img/android/droid-ify.png -description: | - **Droid-ify** is a modern F-Droid client made with MaterialUI, forked from [Foxy Droid](https://github.com/kitsunyan/foxy-droid). - - Unlike the official F-Droid client, Droid-ify supports seamless updates on Android 12 and above without the need for a privileged extension. If your Android distribution is on Android 12 or above and does not include the [F-Droid privileged extension](https://f-droid.org/en/packages/org.fdroid.fdroid.privileged/), it is highly recommended that you use Droid-ify instead of the official client. -downloads: - - icon: fab fa-android - url: 'https://android.izzysoft.de/repo/apk/com.looker.droidify' - - icon: fab fa-github - url: 'https://github.com/Iamlooker/Droid-ify' \ No newline at end of file diff --git a/_data/operating-systems/android/1_grapheneos.yml b/_data/operating-systems/android/1_grapheneos.yml deleted file mode 100644 index 1a16ef9b..00000000 --- a/_data/operating-systems/android/1_grapheneos.yml +++ /dev/null @@ -1,20 +0,0 @@ -title: GrapheneOS -type: Recommendation -logo: /assets/img/android/grapheneos.svg -logo_dark: /assets/img/android/grapheneos-dark.svg -description: | - **GrapheneOS** is the best choice when it comes to privacy and security. - - GrapheneOS provides additional [security hardening](https://en.wikipedia.org/wiki/Hardening_(computing)) and privacy improvements. It has a [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), network and sensor permissions, and various other [security features](https://grapheneos.org/features). GrapheneOS also comes with full firmware updates and signed builds, so [verified boot](https://source.android.com/security/verifiedboot) is fully supported. - - Notably, GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play). Google Play Services can be run fully sandboxed like a regular user app and contained in a work profile or user [profile](/android/#android-security-privacy) of your choice. This means that you can run apps dependant on Play Services, such as those that require push notifications using Google's [Firebase Cloud Messaging](https://firebase.google.com/docs/cloud-messaging/) service. GrapheneOS allows you to take advantage of most [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) whilst having full user control over their permissions and access. - - Currently, only [Pixel phones](https://grapheneos.org/faq#device-support) meet its hardware security requirement and are supported. - - #### Notes - GrapheneOS's "extended support" devices do not have full security patches (firmware updates) due to the original equipment manufacturer (OEM) discontinuing support. These devices cannot be considered completely secure. -website: 'https://grapheneos.org/' -privacy_policy: 'https://grapheneos.org/faq#privacy-policy' -downloads: - - icon: fab fa-github - url: 'https://github.com/GrapheneOS' diff --git a/_data/operating-systems/android/2_calyxos.yml b/_data/operating-systems/android/2_calyxos.yml deleted file mode 100644 index 5bef9335..00000000 --- a/_data/operating-systems/android/2_calyxos.yml +++ /dev/null @@ -1,22 +0,0 @@ -title: CalyxOS -type: Recommendation -logo: /assets/img/android/calyxos.svg -description: | - **CalyxOS** is a decent alternative to GrapheneOS. - - It has some privacy features on top of AOSP, including [Datura firewall](https://calyxos.org/docs/tech/datura-details), [Signal](https://signal.org) integration in the dialer app, and a built in panic button. CalyxOS also comes with firmware updates and signed builds, so [verified boot](https://source.android.com/security/verifiedboot) is fully supported. - - To accomodate users who need Google Play Services, CalyxOS optionally includes [MicroG](https://microg.org/). With MicroG, CalyxOS also bundles in the [Mozilla](https://location.services.mozilla.com/) and [DejaVu](https://github.com/n76/DejaVu) location services. - - Currently, CalyxOS only supports [Pixel phones](https://calyxos.org/docs/guide/device-support/). - - #### Notes - CalyxOS's "extended support" does not have full security patches due to the original equipment manufacturer (OEM) discontinuing support; therefore, they cannot be considered completely secure. - -website: 'https://calyxos.org' -privacy_policy: 'https://calyxinstitute.org/legal/privacy-policy' -downloads: - - icon: fab fa-github - url: 'https://github.com/CalyxOS' - - icon: fab fa-gitlab - url: 'https://gitlab.com/calyxos' diff --git a/_data/operating-systems/android/3_divestos.yml b/_data/operating-systems/android/3_divestos.yml deleted file mode 100644 index 4fe6d66a..00000000 --- a/_data/operating-systems/android/3_divestos.yml +++ /dev/null @@ -1,25 +0,0 @@ -title: DivestOS -type: Recommendation -logo: /assets/img/android/divestos.svg -description: | - **DivestOS** is a [soft-fork](https://en.wikipedia.org/wiki/Fork_(software_development)#Forking_of_free_and_open-source_software) of [LineageOS](https://lineageos.org/). - - DivestOS inherits many [supported devices](https://divestos.org/index.php?page=devices&base=LineageOS) from LineageOS. It has signed builds, making it possible to have [verified boot](https://source.android.com/security/verifiedboot) on some non-Pixel devices. - - DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, a custom [hosts](https://divested.dev/index.php?page=dnsbl) file, and [F-Droid](https://www.f-droid.org) as the app store. It includes [UnifiedNlp](https://github.com/microg/UnifiedNlp) for network location and some hardening with [Mulch Webview](https://gitlab.com/divested-mobile/mulch). Users can also select the [Bromite SystemWebView](https://www.bromite.org/system_web_view) in ⚙️ Settings → Developer options → Webview implementation. DivestOS also includes kernel patches from GrapheneOS and enables security features in [defconfig](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L698). - - DivestOS 16.0, 17.1, and 18.1 implements GrapheneOS's [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) permission toggle and [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc). - - #### Notes - DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) varies across the devices it supports. For Pixel phones, we still recommend using GrapheneOS or CalyxOS. For other supported devices, DivestOS is a good alternative. - - Not all of the supported devices have [verified boot](https://source.android.com/security/verifiedboot), and some perform it better than others. - -website: 'https://divestos.org' -website_tor: 'http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion' -privacy_policy: 'https://divestos.org/index.php?page=privacy_policy' -downloads: - - icon: fab fa-github - url: 'https://github.com/divested-mobile' - - icon: fab fa-gitlab - url: 'https://gitlab.com/divested-mobile' diff --git a/_data/operating-systems/linux-desktop-immutable/1_fedora-silverblue.yml b/_data/operating-systems/linux-desktop-immutable/1_fedora-silverblue.yml deleted file mode 100644 index 54a1c51e..00000000 --- a/_data/operating-systems/linux-desktop-immutable/1_fedora-silverblue.yml +++ /dev/null @@ -1,16 +0,0 @@ -title: Fedora Silverblue (and Kinoite) -type: Recommendation -logo: /assets/img/linux-desktop/fedora-silverblue.svg -description: | - **Fedora Silverblue** and **Fedora Kinoite** are immutable variants of Fedora with a strong focus on container workflows. Silverblue comes with the [GNOME](https://www.gnome.org/) desktop environment while Kinoite comes with [KDE](https://kde.org/). Silverblue and Kinoite follow the same release schedule as Fedora Workstation, benefiting from the same fast updates and staying very close to upstream. - - Silverblue (and Kionite) differ from Fedora Workstation as they replace the [DNF](https://fedoraproject.org/wiki/DNF) package manager with a much more advanced alternative called [`rpm-ostree`](https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/package-management/rpm-ostree/). The `rpm-ostree` package manager works by downloading a base image for the system, then overlaying packages over it in a [git](https://en.wikipedia.org/wiki/Git)-like commit tree. When the system is updated, a new base image is downloaded and the overlays will be applied to that new image. - - After the update is complete the user will reboot the system into the new deployment. `rpm-ostree` keeps two deployments of the system so that a user can easily rollback if something breaks in the new deployment. There is also the option to pin more deployments as needed. - - [Flatpak](https://www.flatpak.org) is the primary package installation method on these distrbutions, as `rpm-ostree` is only meant to overlay packages that cannot stay inside of a container on top of the base image. - - As an alternative to Flatpaks, there is the option of [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) to create [Podman](https://podman.io) containers with a shared home directory with the host operating system and mimic a traditional Fedora environment, which is a [useful feature](https://containertoolbx.org) for the discerning developer. - -website: 'https://silverblue.fedoraproject.org' -privacy_policy: 'https://fedoraproject.org/wiki/Legal:PrivacyPolicy#Sharing_Your_Personal_Data' diff --git a/_data/operating-systems/linux-desktop-immutable/2_nixos.yml b/_data/operating-systems/linux-desktop-immutable/2_nixos.yml deleted file mode 100644 index 3372c937..00000000 --- a/_data/operating-systems/linux-desktop-immutable/2_nixos.yml +++ /dev/null @@ -1,17 +0,0 @@ -title: NixOS -type: Recommendation -logo: /assets/img/linux-desktop/nixos.svg -description: | - NixOS is an independent distribution based on the Nix package manager with a focus on reproducibility and reliability. - - NixOS's package manager keeps every version of every package in a different folder in the **Nix store**. Due to this you can have different versions of the same package installed on your system. After the package contents have been written to the folder, the folder is made read-only. - - NixOS also provides atomic updates; first it downloads (or builds) the packages and files for the new system generation and then switches to it. There are different ways to switch to a new generation; you can tell NixOS to activate it after reboot or you can switch to it at runtime. You can also *test* the new generation by switching to it at runtime, but not setting it as the current system generation. If something in the update process breaks, you can just reboot and automatically and return to a working version of your system. - - Nix the package manager uses a purely functional language - which is also called Nix - to define packages. - - [Nixpkgs](https://github.com/nixos/nixpkgs) (the main source of packages) are contained in a single Github repository. You can also define your own packages in the same language and then easily include them in your config. - - Nix is a source-based package manager; if there's no pre-built available in the binary cache, Nix will just build the package from source using its definition. It builds each package in a sandboxed *pure* environment, which is as independent of the host system as possible, thus making binaries reproducible. - -website: 'https://nixos.org' diff --git a/_data/operating-systems/linux-desktop-tor/1_whonix.yml b/_data/operating-systems/linux-desktop-tor/1_whonix.yml deleted file mode 100644 index b44d4979..00000000 --- a/_data/operating-systems/linux-desktop-tor/1_whonix.yml +++ /dev/null @@ -1,16 +0,0 @@ -title: Whonix -type: Recommendation -logo: /assets/img/linux-desktop/whonix.svg -description: | - **Whonix** is based on [Kicksecure](https://www.whonix.org/wiki/Kicksecure), a security-focused fork of Debian. It aims to provide privacy, security, and anonymity on the internet. - - Whonix is meant to run as two virtual machines: a "Workstation" and a Tor "Gateway". All communications from the Workstation has to go through the Tor gateway, and will be routed through the Tor Network. - - Some of its features include Tor Stream Isolation, [keystroke anonymization](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [encrypted swap](https://github.com/Whonix/swap-file-creator), and a hardened memory allocator. - - Future versions of Whonix will likely include [full system Apparmor policies](https://github.com/Whonix/apparmor-profile-everything) and a [sandbox app launcher](https://www.whonix.org/wiki/Sandbox-app-launcher) to fully confine all processes on the system. - - Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers). - -website: 'https://www.whonix.org/' -website_tor: 'http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/' diff --git a/_data/operating-systems/linux-desktop-tor/2_tails.yml b/_data/operating-systems/linux-desktop-tor/2_tails.yml deleted file mode 100644 index de0677b0..00000000 --- a/_data/operating-systems/linux-desktop-tor/2_tails.yml +++ /dev/null @@ -1,11 +0,0 @@ -title: Tails -type: Recommendation -logo: /assets/img/linux-desktop/tails.svg -description: | - **Tails** is a live operating system based on Debian that routes all communications through Tor. - - It can boot on almost any computer from a DVD, USB stick, or sdcard. It aims to preserve privacy and anonymity while circumventing censorship and leaving no trace of itself on the computer it is used on. - - By design, Tails is meant to completely reset itself after each reboot. Encrypted [persistent storage](https://tails.boum.org/doc/first_steps/persistence/index.en.html) can be configured to store some data. - -website: 'https://tails.boum.org' diff --git a/_data/operating-systems/linux-desktop/1_fedora-workstation.yml b/_data/operating-systems/linux-desktop/1_fedora-workstation.yml deleted file mode 100644 index 15b59eff..00000000 --- a/_data/operating-systems/linux-desktop/1_fedora-workstation.yml +++ /dev/null @@ -1,13 +0,0 @@ -title: Fedora Workstation -type: Recommendation -logo: /assets/img/linux-desktop/fedora-workstation.svg -labels: 'color==info::icon==fas fa-fw fa-trophy::text==Beginner friendly::tooltip==We highly recommend that new Linux users use Fedora Workstation.' -description: | - **Fedora Workstation** is our recommended distribution for users new to Linux. - - It has a semi-[rolling release](https://en.wikipedia.org/wiki/Rolling_release) cycle. While some packages like [GNOME](https://www.gnome.org) are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months. - - Fedora generally adopts newer technologies before other distributions e.g., [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org), and soon, [FS-Verity](https://fedoraproject.org/wiki/Changes/FsVerityRPM). These new technologies often come with improvements in security, privacy, and usability in general. - -website: 'https://getfedora.org' -privacy_policy: 'https://fedoraproject.org/wiki/Legal:PrivacyPolicy#Sharing_Your_Personal_Data' diff --git a/_data/operating-systems/linux-desktop/2_opensuse-tumbleweed.yml b/_data/operating-systems/linux-desktop/2_opensuse-tumbleweed.yml deleted file mode 100644 index f0dcc00d..00000000 --- a/_data/operating-systems/linux-desktop/2_opensuse-tumbleweed.yml +++ /dev/null @@ -1,11 +0,0 @@ -title: openSUSE Tumbleweed -type: Recommendation -logo: /assets/img/linux-desktop/opensuse-tumbleweed.svg -description: | - **openSUSE Tumbleweed** is a stable [rolling release](https://en.wikipedia.org/wiki/Rolling_release) distribution. - - Tumbleweed follows a rolling release model where each update is released as a snapshot of the distribution. When the user upgrades their system, a new snapshot is downloaded. Each snapshot is run through a series of automated tests by the [openSUSE Build Service](https://build.opensuse.org) to ensure its quality. - - openSUSE Tumbleweed has a [transactional update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) system that uses [Btrfs](https://en.wikipedia.org/wiki/Btrfs) and [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) to ensure that snapshots can be rolled back should there be a problem. - -website: 'https://get.opensuse.org/tumbleweed/' diff --git a/_data/operating-systems/linux-desktop/3_archlinux.yml b/_data/operating-systems/linux-desktop/3_archlinux.yml deleted file mode 100644 index b3bbe2be..00000000 --- a/_data/operating-systems/linux-desktop/3_archlinux.yml +++ /dev/null @@ -1,14 +0,0 @@ -title: Arch Linux -type: Recommendation -logo: /assets/img/linux-desktop/archlinux.svg -description: | - **Arch Linux** is a lightweight, do-it-yourself (DIY) distribution meaning that you only get what you install. For more information see their [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions). - - Arch Linux has a rolling release cycle. There is no fixed release schedule and packages are updated very frequently. - - Being a DIY distribution, the user is [expected to setup and maintain](/linux-desktop/#arch-based-distributions) their system. Arch has an [official installer](https://wiki.archlinux.org/title/Archinstall) to make the installation process a little easier. - - A large portion of [Arch Linux's packages](https://reproducible.archlinux.org) are [reproducible](https://reproducible-builds.org). - -website: 'https://archlinux.org' -privacy_policy: 'https://wiki.archlinux.org/index.php/ArchWiki:Privacy_policy' diff --git a/_data/operating-systems/qubes/1_qubes.yml b/_data/operating-systems/qubes/1_qubes.yml deleted file mode 100644 index 615b1e55..00000000 --- a/_data/operating-systems/qubes/1_qubes.yml +++ /dev/null @@ -1,11 +0,0 @@ -title: Qubes OS -type: Recommendation -logo: /assets/img/qubes/qubes_os.svg -description: | - **Qubes** is an open-source operating system designed to provide strong security for desktop computing. Qubes is based on Xen, the X Window System, and Linux, and can run most Linux applications and utilize most of the Linux drivers. -website: 'https://www.qubes-os.org/' -website_tor: 'http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/' -privacy_policy: 'https://www.qubes-os.org/privacy/' -downloads: - - icon: fab fa-github - url: 'https://github.com/QubesOS' diff --git a/_data/operating-systems/router/1_openwrt.yml b/_data/operating-systems/router/1_openwrt.yml deleted file mode 100644 index e040217f..00000000 --- a/_data/operating-systems/router/1_openwrt.yml +++ /dev/null @@ -1,14 +0,0 @@ -title: OpenWrt -type: Recommendation -logo: /assets/img/router/openwrt.svg -logo_dark: /assets/img/router/openwrt-dark.svg -description: | - **OpenWrt** is an operating system (in particular, an embedded operating system) based on the Linux kernel, primarily used on embedded devices to route network traffic. The main components are the Linux kernel, util-linux, uClibc, and BusyBox. All components have been optimized for size, to be small enough for fitting into the limited storage and memory available in home routers. - - ## Notes - Consult the [Table of Hardware](https://openwrt.org/toh/start) to check if your device is supported. - -website: 'https://openwrt.org' -downloads: - - icon: fab fa-git - url: 'https://git.openwrt.org/' diff --git a/_data/operating-systems/router/2_pfsense.yml b/_data/operating-systems/router/2_pfsense.yml deleted file mode 100644 index b26c42b1..00000000 --- a/_data/operating-systems/router/2_pfsense.yml +++ /dev/null @@ -1,11 +0,0 @@ -title: pfSense -type: Recommendation -logo: /assets/img/router/pfsense.svg -logo_dark: /assets/img/router/pfsense-dark.svg -description: | - pfSense is an open source firewall/router computer software distribution based on FreeBSD. It is installed on a computer to make a dedicated firewall/router for a network and is noted for its reliability and offering features often only found in expensive commercial firewalls. pfSense is commonly deployed as a perimeter firewall, router, wireless access point, DHCP server, DNS server, and VPN endpoint. -website: 'https://www.pfsense.org' -privacy_policy: 'https://www.pfsense.org/privacy.html' -downloads: - - icon: fab fa-github - url: 'https://github.com/pfsense' diff --git a/_data/providers/cloud/1_nextcloud.yml b/_data/providers/cloud/1_nextcloud.yml deleted file mode 100644 index f72d59df..00000000 --- a/_data/providers/cloud/1_nextcloud.yml +++ /dev/null @@ -1,33 +0,0 @@ -title: Nextcloud -type: Recommendation -logo: /assets/img/cloud/nextcloud.svg -description: | - **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. It also comes with experimental end-to-end encryption (E2EE). - - We recommend checking if your Nextcloud provider supports E2EE, otherwise you have to trust the provider to not look at your files. - - When self hosting Nextcloud, you should also remember to enable E2EE to protect against your hosting provider from snooping on your data. - -website: 'https://nextcloud.com/' -privacy_policy: 'https://nextcloud.com/privacy/' -downloads: - - icon: fab fa-windows - url: 'https://nextcloud.com/install/#install-clients' - - icon: fab fa-apple - url: 'https://nextcloud.com/install/#install-clients' - - icon: fab fa-linux - url: 'https://nextcloud.com/install/#install-clients' - - icon: fab fa-freebsd - url: 'https://www.freshports.org/www/nextcloud/' - - icon: pg-openbsd - url: 'http://openports.se/www/nextcloud' - - icon: pg-netbsd - url: 'http://pkgsrc.se/www/php-nextcloud' - - icon: fab fa-android - url: 'https://f-droid.org/packages/com.nextcloud.client/' - - icon: fab fa-google-play - url: 'https://play.google.com/store/apps/details?id=com.nextcloud.client' - - icon: fab fa-app-store-ios - url: 'https://apps.apple.com/app/id1125420102' - - icon: fab fa-github - url: 'https://github.com/nextcloud' diff --git a/_data/providers/cloud/2_proton-drive.yml b/_data/providers/cloud/2_proton-drive.yml deleted file mode 100644 index cd24d897..00000000 --- a/_data/providers/cloud/2_proton-drive.yml +++ /dev/null @@ -1,17 +0,0 @@ -title: Proton Drive -type: Recommendation -logo: /assets/img/cloud/protondrive.svg -description: | - **Proton Drive** is an end-to-end encrypted (E2EE) general file storage service by the popular encrypted email provider [ProtonMail](https://protonmail.com). - - Proton Drive is currently in beta and only is only available through a web client. - - When using a web client, you are placing trust in the server to send you proper JavaScript code to derive the decryption key and authentication token locally in your browser. A compromised server can send you malicious JavaScript code to steal your master password and decrypt your data. If this does not fit your [threat model](/threat-modeling/), consider using an alternative. - -website: 'https://protonmail.com' -privacy_policy: 'https://protonmail.com/privacy-policy' -downloads: - - icon: fas fa-globe-americas - url: 'https://protonmail.com' - - icon: fab fa-github - url: 'https://github.com/ProtonMail/WebClients' diff --git a/_data/providers/cloud/3_tahoe-lafs.yml b/_data/providers/cloud/3_tahoe-lafs.yml deleted file mode 100644 index cbd4ffba..00000000 --- a/_data/providers/cloud/3_tahoe-lafs.yml +++ /dev/null @@ -1,20 +0,0 @@ -title: Tahoe-LAFS (Advanced) -type: Recommendation -logo: /assets/img/cloud/tahoe-lafs.svg -logo_dark: /assets/img/cloud/tahoe-lafs-dark.svg -description: | - **Tahoe-LAFS** is a free and open decentralized cloud storage system. It distributes your data across multiple servers. Even if some of the servers fail or are taken over by an attacker, the entire file store continues to function correctly, preserving your privacy and security. The servers used as storage pools do not have access to your data. - - Due to the complexity of the system and the amount of nodes needed to set it up, Tahoe-LAFS is only recommended for seasoned system administrators. -website: 'https://www.tahoe-lafs.org/' -downloads: - - icon: fab fa-windows - url: 'https://github.com/tahoe-lafs/tahoe-lafs#via-pip' - - icon: fab fa-apple - url: 'https://github.com/tahoe-lafs/tahoe-lafs#via-pip' - - icon: fab fa-linux - url: 'https://github.com/tahoe-lafs/tahoe-lafs#using-os-packages' - - icon: pg-netbsd - url: 'http://pkgsrc.se/filesystems/tahoe-lafs' - - icon: fab fa-github - url: 'https://www.tahoe-lafs.org/trac/tahoe-lafs/browser' diff --git a/_data/providers/search-engines/1_duckduckgo.yml b/_data/providers/search-engines/1_duckduckgo.yml deleted file mode 100644 index 4afaf78d..00000000 --- a/_data/providers/search-engines/1_duckduckgo.yml +++ /dev/null @@ -1,18 +0,0 @@ -title: DuckDuckGo -type: Recommendation -logo: /assets/img/search-engines/duckduckgo.svg -description: | - **DuckDuckGo** is a popular search engine and is the default for the Tor Browser. - - DuckDuckGo has a [lite](https://duckduckgo.com/lite) and [html](https://duckduckgo.com/html) only version, both of which [do not require JavaScript](https://help.duckduckgo.com/features/non-javascript) and can be used with their [Tor onion address](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion) (append [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) or [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) for the respective version). - - DuckDuckGo uses a commercial Bing API and various [other sources](https://help.duckduckgo.com/results/sources) to provide its search data. - - #### Notes - The company is based in the USA. - - Their [Privacy Policy](https://duckduckgo.com/privacy) states they do log your search query, but not your IP or any other identifying information. - -website: 'https://duckduckgo.com' -website_tor: 'https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion' -privacy_policy: 'https://duckduckgo.com/privacy' diff --git a/_data/providers/search-engines/2_startpage.yml b/_data/providers/search-engines/2_startpage.yml deleted file mode 100644 index 374ba3cc..00000000 --- a/_data/providers/search-engines/2_startpage.yml +++ /dev/null @@ -1,19 +0,0 @@ -title: Startpage -type: Recommendation -logo: /assets/img/search-engines/startpage.svg -description: | - **Startpage** is a search engine that provides Google search results. It is a very convenient way to get Google search results without experiencing dark patterns such as difficult captchas or being refused access because you used a [VPN](/providers/vpn) or [Tor](https://www.torproject.org/download/). - - #### Notes - Startpage's majority shareholder is System1 who is an adtech company. We don't think that is an issue as they have their own Privacy Policy. - - The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) for clarification and was satisfied by the answers we received. - - Startpage is based in the Netherlands. - - According to their [Privacy Policy](https://www.startpage.com/en/privacy-policy/), they only log details such as: operating system, type of browser and language. They do not log your IP address, search queries or other identifying information. - - Startpage proxies Google Search so Google does have access to your search queries. - -website: 'https://www.startpage.com' -privacy_policy: 'https://www.startpage.com/en/privacy-policy' diff --git a/_data/providers/search-engines/3_mojeek.yml b/_data/providers/search-engines/3_mojeek.yml deleted file mode 100644 index d6b614be..00000000 --- a/_data/providers/search-engines/3_mojeek.yml +++ /dev/null @@ -1,13 +0,0 @@ -title: Mojeek -type: Recommendation -logo: /assets/img/search-engines/mojeek.svg -description: | - **Mojeek** is another privacy friendly search engine. They use their own crawler to provide search data. - - #### Notes - The company is based in the UK. - - According to their [Privacy Policy](https://www.mojeek.com/about/privacy/), they log the originating country, time, page requested, and referral data of each query. IP addresses are not logged. - -website: 'https://www.mojeek.com' -privacy_policy: 'https://www.mojeek.com/about/privacy' diff --git a/_data/providers/search-engines/4_searx.yml b/_data/providers/search-engines/4_searx.yml deleted file mode 100644 index 7836811c..00000000 --- a/_data/providers/search-engines/4_searx.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: Searx -type: Recommendation -logo: /assets/img/search-engines/searx.svg -description: | - **Searx** is an [open-source](https://github.com/asciimoo/searx), self-hostable, metasearch engine, aggregating the results of other search engines while not storing information about its users. There is a [list of public instances](https://searx.space/). - - #### Notes - Searx is a proxy between the user and the search engines it aggregates from. Your search queries will still be sent to the search engines that Searx gets its results from. - - When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Searx, as other people looking up illegal content on your instance could draw unwanted attention from authorities. - - When you are using a Searx instance, be sure to go read the Privacy Policy of that specific instance. Searx instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII (Personally Identifiable Information). - -website: 'https://searx.me' -website_tor: 'http://searxspbitokayvkhzhsnljde7rqmn7rvoga6e4waeub3h7ug3nghoad.onion' diff --git a/_data/schema/organization.yml b/_data/schema/organization.yml deleted file mode 100644 index 305e74b8..00000000 --- a/_data/schema/organization.yml +++ /dev/null @@ -1,14 +0,0 @@ -"@context": https://schema.org -"@type": Organization -"name": Privacy Guides -"description": "Massive organizations are monitoring your online activities. Privacy Guides is your central privacy and security resource to protect yourself online." -"url": 'https://www.privacyguides.org' -"logo": 'https://www.privacyguides.org/assets/img/layout/apple-touch-icon.png' -"sameAs": -- 'https://www.wikidata.org/wiki/Q74788946' -- 'https://twitter.com/privacy_guides' -- 'https://github.com/privacyguides' -- 'https://github.com/privacytools' -- 'https://twitter.com/privacytoolsIO' -"alternateName": -- 'PrivacyTools' diff --git a/_data/software/browsers-desktop/1_firefox.yml b/_data/software/browsers-desktop/1_firefox.yml deleted file mode 100644 index 484611f3..00000000 --- a/_data/software/browsers-desktop/1_firefox.yml +++ /dev/null @@ -1,63 +0,0 @@ -title: Firefox Desktop -type: Recommendation -logo: /assets/img/browsers/firefox.svg -description: | - **Firefox** provides strong privacy settings such as [Enhanced Tracking Protection](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop), which can help block various [types of tracking](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop#w_what-enhanced-tracking-protection-blocks). - - These options can be found in the *Privacy & Security* settings page ( ≡ → Settings → Privacy & Security). - - ##### **Enhanced Tracking Protection (ETP)** - - - ##### **Sanitize on Close** - - You can still stay logged into websites by allowing exceptions. - - ##### **Disable Search Suggestions** - *These features may not be available depending on your region.* - - - ##### **Disable Telemetry** - - - Firefox includes a unique [download token](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) in downloads from Mozilla's website and uses telemetry in Firefox to send the token. The token is **not** included in releases from the [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/). - - ##### **HTTPS-Only Mode** - - - #### Sync - The [Firefox sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) service is end-to-end encrypted. - - #### Extensions - We generally do not recommend installing any extensions as they increase your [attack surface](https://en.wikipedia.org/wiki/Attack_surface); however, if you want content blocking, [uBlock Origin](/browsers/#additional-resources) might be useful to you. The extension is also a 🏆️[Recommended Extension](https://support.mozilla.org/kb/add-on-badges#w_recommended-extensions) by Mozilla. - - #### Arkenfox (advanced) - The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of carefully considered options for Firefox. These options are quite strict but a few are subjective and may cause some websites to not work properly. You can easily change these settings to suit your needs. We **strongly recommend** reading through their [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox also enables [container](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users) support. - -website: 'https://firefox.com' -privacy_policy: 'https://www.mozilla.org/privacy/firefox' -downloads: - - icon: fab fa-windows - url: 'https://www.mozilla.org/firefox/windows' - - icon: fab fa-apple - url: 'https://www.mozilla.org/firefox/mac' - - icon: fab fa-linux - url: 'https://www.mozilla.org/firefox/linux' - - icon: fab fa-freebsd - url: 'https://www.freshports.org/www/firefox' - - icon: fab fa-git - url: 'https://hg.mozilla.org/mozilla-central' diff --git a/_data/software/browsers-mobile/1_bromite.yml b/_data/software/browsers-mobile/1_bromite.yml deleted file mode 100644 index 6e333cfc..00000000 --- a/_data/software/browsers-mobile/1_bromite.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: Bromite -type: Recommendation -logo: /assets/img/browsers/bromite.svg -description: | - **Bromite** is a [Chromium](https://en.wikipedia.org/wiki/Chromium_(web_browser))-based browser with privacy and security enhancements, built-in ad blocking, and some fingerprinting randomization. - - These options can be found in *Privacy and Security* ( ⁝ → ⚙️ Settings → Privacy and Security). - - ##### **HTTPS-Only Mode** - - - ##### **Always-on Incognito Mode** - - -website: 'https://www.bromite.org' -privacy_policy: 'https://www.bromite.org/privacy' -downloads: - - icon: fab fa-android - url: 'https://www.bromite.org/fdroid' - - icon: fab fa-github - url: 'https://github.com/bromite/bromite' diff --git a/_data/software/browsers-mobile/2_safari.yml b/_data/software/browsers-mobile/2_safari.yml deleted file mode 100644 index f3da7cb5..00000000 --- a/_data/software/browsers-mobile/2_safari.yml +++ /dev/null @@ -1,54 +0,0 @@ -title: Safari -type: Recommendation -logo: /assets/img/browsers/safari.svg -description: | - **Safari** is the default browser in iOS. It includes [privacy features](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) such as Intelligent Tracking Protection, Privacy Report, isolated Private Browsing tabs, iCloud Private Relay, and automatic HTTPS upgrades. - - These options can be found in *Privacy and Security* (⚙️ Settings → Safari → Privacy and Security). - - ##### **Cross-Site Tracking Prevention** - Toggling this setting enables WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp). - - - - ##### **Privacy Report** - Privacy Report provides a snapshot of cross-site trackers currently prevented from profiling you on the website you're visiting. It can also display a weekly report to show which trackers have been blocked over time. - - Privacy Report is accessible through the **Aa** icon in the URL bar. - - ##### **Privacy Preserving Ad Measurement** - This is WebKit's own [implementation](https://webkit.org/blog/8943/privacy-preserving-ad-click-attribution-for-the-web/) of privacy preserving ad click attribution. If you do not wish to participate, you can disable this feature. - - - - ##### **Apple Pay** - If you do not use Apple Pay, you can toggle off the ability for websites to check for it. - - - - ##### **Always-on Private Browsing** - Open Safari and press the tabs icon in the bottom right corner. Open Tab Groups, located in the bottom middle. - - - - #### iCloud Sync - While synchronization of Safari History, Tab Groups, and iCloud Tabs is end-to-end encrypted, bookmarks are [not](https://support.apple.com/en-us/HT202303); they are only encrypted in transit and stored in an encrypted format on Apple's servers. Apple may be able to decrypt and access them. - - If you use iCloud, we also recommend checking to ensure Safari's default download location is set to locally on your device. This option can be found in *General* (⚙️ Settings → Safari → General → Downloads). - - #### Extensions - We generally do not recommend installing [any extensions](https://www.sentinelone.com/blog/inside-safari-extensions-malware-golden-key-user-data/) as they increase your browser's [attack surface](https://en.wikipedia.org/wiki/Attack_surface); however, if you want content blocking, [AdGuard for Safari](/browsers/#additional-resources) might be useful to you. - -website: https://www.apple.com/safari/ -privacy_policy: https://www.apple.com/legal/privacy/data/en/safari/ -downloads: - - icon: fab fa-app-store-ios - url: https://apps.apple.com/us/app/safari/id1146562112 diff --git a/_data/software/browsers-resources/1_ublock_origin.yml b/_data/software/browsers-resources/1_ublock_origin.yml deleted file mode 100644 index ddac4c45..00000000 --- a/_data/software/browsers-resources/1_ublock_origin.yml +++ /dev/null @@ -1,18 +0,0 @@ -title: uBlock Origin -type: Recommendation -logo: /assets/img/browsers/ublock_origin.svg -description: | - **uBlock Origin** is a popular content blocker that could help you block ads, trackers, and fingerprinting scripts. - - We suggest enabling all of the [filter lists](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) under the "Ads," "Privacy," and "Malware domains". The "Annoyances" and "Multipurpose" lists can also be enabled, but they may break some social media functions. The *AdGuard URL Tracking Protection* filter list makes extensions like CleanURLs and NeatURLs redundant. - - We also suggest adding the [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) list and any of the regional lists that might apply to your browsing habits. To add this list, first access settings by clicking on the uBO icon, then the settings icon (⚙️). Go to the bottom of the Filter lists pane and place a checkmark next to Import under the Custom section. Paste the URL of the filter list above into the text area that appears below and click "Apply changes". - - Additional filter lists do slow things down and may increase your [attack surface](https://en.wikipedia.org/wiki/Attack_surface), so only apply what you need. - - uBlock Origin also has different [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode). The easy mode [might not](https://www.ranum.com/security/computer_security/editorials/dumb/) necessarily keep you safe from every tracker out there, whereas the more advanced modes let you control exactly what needs to run. -website: 'https://addons.mozilla.org/firefox/addon/ublock-origin/' -privacy_policy: 'https://github.com/gorhill/uBlock/wiki/Privacy-policy' -downloads: - - icon: fab fa-github - url: https://github.com/gorhill/uBlock diff --git a/_data/software/browsers-resources/2_adguard.yml b/_data/software/browsers-resources/2_adguard.yml deleted file mode 100644 index 3ba07fcc..00000000 --- a/_data/software/browsers-resources/2_adguard.yml +++ /dev/null @@ -1,18 +0,0 @@ -title: AdGuard for Safari -type: Recommendation -logo: /assets/img/browsers/adguard.svg -description: | - **AdGuard for Safari** is a free and open-source content-blocking extension for Safari that uses the native [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). We suggest enabling the filters labled *#recommended* under the "Ad Blocking" and "Privacy" [content blockers](https://kb.adguard.com/en/safari/overview#content-blockers). The *#recommended* filters can also be enabled for the "Social Widgets" and "Annoyances" content blockers, but they may break some social media functions. - - Additional filter lists do slow things down and may increase your [attack surface](https://en.wikipedia.org/wiki/Attack_surface), so only apply what you need. - - There is also [AdGuard for iOS](https://adguard.com/en/adguard-ios/overview.html) which is able to perform system-wide content blocking by means of DNS filtering. -website: 'https://adguard.com/en/adguard-safari/overview.html' -privacy_policy: 'https://adguard.com/en/privacy/safari.html' -downloads: - - icon: fab fa-safari - url: 'https://apps.apple.com/app/adguard-for-safari/id1440147259' - - icon: fab fa-app-store-ios - url: 'https://apps.apple.com/app/apple-store/id1047223162' - - icon: fab fa-github - url: 'https://github.com/AdguardTeam/AdGuardForSafari' diff --git a/_data/software/browsers-resources/3_terms_of_service_didnt_read.yml b/_data/software/browsers-resources/3_terms_of_service_didnt_read.yml deleted file mode 100644 index ae651f47..00000000 --- a/_data/software/browsers-resources/3_terms_of_service_didnt_read.yml +++ /dev/null @@ -1,9 +0,0 @@ -title: Terms of Service; Didn't Read -type: Recommendation -logo: /assets/img/browsers/terms_of_service_didnt_read.svg -description: | - **Terms of Service; Didn't Read** grades websites based on their terms of service agreements and privacy policies. It also gives short summaries of those agreements. The analyses and ratings are published transparently by a community of reviewers. - - We do not recommend installing ToS;DR as a browser extension. The same information is provided on their website. -website: 'https://tosdr.org/' -privacy_policy: 'https://addons.mozilla.org/firefox/addon/terms-of-service-didnt-read/privacy/' diff --git a/_data/software/browsers/1_tor-browser.yml b/_data/software/browsers/1_tor-browser.yml deleted file mode 100644 index 12f720d9..00000000 --- a/_data/software/browsers/1_tor-browser.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: Tor Browser -type: Recommendation -info: Provides Anonymity -logo: /assets/img/browsers/tor.svg -description: | - **Tor Browser** is the choice if you need anonymity. This browser provides you with access to the Tor Bridges and [Tor Network](https://en.wikipedia.org/wiki/Tor_(network)), along with extensions that can be automatically configured to fit its three security levels - *Standard*, *Safer* and *Safest*. We recommend that you do not change any of Tor Browser's default configurations outside of the standard security levels. - - #### Extensions - You should **never** install any additional extensions on Tor Browser, including the ones we suggest for Firefox. Browser extensions make you stand out from other Tor users and your browser easier to [fingerprint](https://support.torproject.org/glossary/browser-fingerprinting). - -website: 'https://www.torproject.org/' -website_tor: 'http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion/' -privacy_policy: 'https://support.torproject.org/tbb/tbb-3/' -downloads: - - icon: fab fa-windows - url: 'https://www.torproject.org/download/' - - icon: fab fa-apple - url: 'https://www.torproject.org/download/' - - icon: fab fa-linux - url: 'https://www.torproject.org/download/' - - icon: fab fa-android - url: 'https://guardianproject.info/fdroid/' - - icon: fab fa-google-play - url: 'https://play.google.com/store/apps/details?id=org.torproject.torbrowser' - - icon: fab fa-git - url: 'https://trac.torproject.org/projects/tor' diff --git a/_data/software/dns-apps/1_rethinkdns.yml b/_data/software/dns-apps/1_rethinkdns.yml deleted file mode 100644 index b6cbd8e6..00000000 --- a/_data/software/dns-apps/1_rethinkdns.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: RethinkDNS -type: Recommendation -logo: /assets/img/android/rethinkdns.svg -logo_dark: /assets/img/android/rethinkdns-dark.svg -description: | - **RethinkDNS** is an open-source Android client supporting [DNS-over-HTTPS](/dns/#dns-over-https-doh), [DNS-over-TLS](/dns/#dns-over-tls-dot), [DNSCrypt](/dns/#dnscrypt) and DNS Proxy along with caching DNS responses, locally logging DNS queries and can be used as a firewall too. -website: 'https://rethinkdns.com' -privacy_policy: 'https://rethinkdns.com/privacy' -downloads: - - icon: fab fa-google-play - url: 'https://play.google.com/store/apps/details?id=com.celzero.bravedns' - - icon: pg-f-droid - url: 'https://f-droid.org/packages/com.celzero.bravedns' - - icon: fab fa-github - url: 'https://github.com/celzero/rethink-app' diff --git a/_data/software/dns-apps/2_dnscloak.yml b/_data/software/dns-apps/2_dnscloak.yml deleted file mode 100644 index fbf9c949..00000000 --- a/_data/software/dns-apps/2_dnscloak.yml +++ /dev/null @@ -1,12 +0,0 @@ -title: DNSCloak -type: Recommendation -logo: /assets/img/ios/dnscloak.png -privacy_policy: 'https://drive.google.com/file/d/1050No_pU74CAWUS5-BwQWyO2x_aiMzWc/view' -description: | - An open-source iOS client supporting [DNS-over-HTTPS](/dns/#dns-over-https-doh), [DNSCrypt](/dns/#dnscrypt), and [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy/wiki) options such as caching DNS responses, locally logging DNS queries, and custom block lists. Users can [add custom resolvers by DNS stamp](https://medium.com/privacyguides/adding-custom-dns-over-https-resolvers-to-dnscloak-20ff5845f4b5). -website: 'https://github.com/s-s/dnscloak/blob/master/README.md' -downloads: - - icon: fab fa-app-store-ios - url: 'https://apps.apple.com/app/id1452162351' - - icon: fab fa-github - url: 'https://github.com/s-s/dnscloak' diff --git a/_data/software/dns-apps/3_dnscrypt-proxy.yml b/_data/software/dns-apps/3_dnscrypt-proxy.yml deleted file mode 100644 index 5801ea9a..00000000 --- a/_data/software/dns-apps/3_dnscrypt-proxy.yml +++ /dev/null @@ -1,12 +0,0 @@ -title: dnscrypt-proxy -type: Recommendation -logo: /assets/img/dns/dnscrypt-proxy.svg -description: | - A DNS proxy with support for DNSCrypt, DNS-over-HTTPS, and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). - - ## Note - The anonymized DNS feature does [**not**](/dns#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic. -website: 'https://github.com/DNSCrypt/dnscrypt-proxy/wiki' -downloads: - - icon: fab fa-github - url: 'https://github.com/DNSCrypt/dnscrypt-proxy' diff --git a/_data/software/messengers/1_signal.yml b/_data/software/messengers/1_signal.yml deleted file mode 100644 index 2dd59f17..00000000 --- a/_data/software/messengers/1_signal.yml +++ /dev/null @@ -1,36 +0,0 @@ -title: Signal -type: Recommendation -logo: /assets/img/messengers/signal.svg -labels: 'color==info::icon==fas fa-fw fa-wifi::text==Centralized::tooltip==All communications pass through a single host. | - color==info::icon==fas fa-fw fa-phone::text==VoIP::tooltip==Voice or video calls are supported.' -description: | - **Signal** is a mobile app developed by Signal Messenger LLC. The app provides instant messaging, as well as voice and video calling. - - All communications are E2EE. Contact lists are encrypted using your login PIN and the server does not have access to them. Personal profiles are also encrypted and only shared with contacts who add you. - - Signal has minimal metadata when [Sealed Sender](https://signal.org/blog/sealed-sender/) is enabled. The sender address is encrypted along with the message body, and only the recipient address is visible to the server. - - #### Notes - Signal requires your phone number as a personal identifier. - - [Sealed Sender](https://signal.org/blog/sealed-sender/) is only enabled for users on your contact list but can be enabled for all recipients with the increased risk of receiving spam. - - #### Technical information - The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf) in 2016. The specification for the Signal protocol can be found in their [documentation](https://signal.org/docs/). -website: 'https://signal.org' -privacy_policy: 'https://signal.org/legal' -downloads: - - icon: fab fa-windows - url: 'https://signal.org/download' - - icon: fab fa-apple - url: 'https://signal.org/download' - - icon: fab fa-linux - url: 'https://signal.org/download' - - icon: fab fa-android - url: 'https://signal.org/android/apk/#apk-danger' - - icon: fab fa-google-play - url: 'https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms' - - icon: fab fa-app-store-ios - url: 'https://apps.apple.com/app/id874139669' - - icon: fab fa-github - url: 'https://github.com/signalapp' diff --git a/_data/software/messengers/2_element.yml b/_data/software/messengers/2_element.yml deleted file mode 100644 index 5294b070..00000000 --- a/_data/software/messengers/2_element.yml +++ /dev/null @@ -1,40 +0,0 @@ -title: Element -type: Recommendation -logo: /assets/img/messengers/element.svg -labels: 'color==info::icon==fas fa-fw fa-wifi::text==Federated::tooltip==Your communications pass through one of a network of hosts that intercommunicate. | - color==info::icon==fas fa-fw fa-wifi::text==P2P::tooltip==One-on-one voice and video calls are peer-to-peer (option can be disabled). | - color==info::icon==fas fa-fw fa-phone::text==VoIP::tooltip==Voice or video calls are supported.' -description: | - **Element** is the reference client for the [Matrix](https://matrix.org/docs/guides/introduction) protocol, an [open standard](https://matrix.org/docs/spec) for secure decentralized real-time communication. - - Messages and files shared in private rooms (those which require an invite) are by default E2EE as are 1 to 1 voice and video calls. - - #### Notes - Profile pictures, reactions, and nicknames are not encrypted. - - Group voice and video calls are [not](https://github.com/vector-im/element-web/issues/12878) E2EE, and use Jitsi, but this is expected to change with [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Group calls have [no authentication](https://github.com/vector-im/element-web/issues/13074) currently, meaning that non room participants can also join the calls. We recommend that you do not use this feature for private meetings. - - When using [element-web](https://github.com/vector-im/element-web), you must trust the server hosting the Element client. If your [threat model](/threat-modeling) requires stronger protection, then use a desktop or mobile client instead. - - #### Technical information - The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signal's [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/). - -website: 'https://element.io' -privacy_policy: 'https://element.io/privacy' -downloads: - - icon: fab fa-windows - url: 'https://element.io/get-started' - - icon: fab fa-apple - url: 'https://element.io/get-started' - - icon: fab fa-linux - url: 'https://element.io/get-started' - - icon: fab fa-android - url: 'https://f-droid.org/packages/im.vector.app/' - - icon: fab fa-google-play - url: 'https://play.google.com/store/apps/details?id=im.vector.app' - - icon: fab fa-app-store-ios - url: 'https://apps.apple.com/app/vector/id1083446067' - - icon: fas fa-globe-americas - url: 'https://app.element.io' - - icon: fab fa-github - url: 'https://github.com/vector-im/element-web' diff --git a/_data/software/messengers/3_briar.yml b/_data/software/messengers/3_briar.yml deleted file mode 100644 index 91e87a79..00000000 --- a/_data/software/messengers/3_briar.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: Briar -type: Recommendation -logo: /assets/img/messengers/briar.svg -labels: 'color==info::icon==fas fa-fw fa-wifi::text==P2P::tooltip==Senders and recipients connect directly with no middlemen (can be disabled). | - color==info::icon==fas fa-fw fa-wifi::text==Anonymous Routing::tooltip==Senders and recipients are hidden in the network, no one can know they communicate together (can be disabled).' -description: | - **Briar** is an encrypted instant messenger that [connects](https://briarproject.org/how-it-works/) to other clients using the Tor Network. Briar can also connect via Wi-Fi or Bluetooth when in local proximity. Briar's local mesh mode can be useful when internet availability is a problem. - - #### Notes - To [add a contact](https://briarproject.org/manual/) on Briar, you must both add each other first. You can either exchange `briar://` links or scan a contact's QR code if they are nearby. - - #### Technical information - The client software was independently [audited](https://briarproject.org/news/2017-beta-released-security-audit/) and the anonymous routing protocol uses the Tor network which has also been audited. - - Briar has a fully [published specification](https://code.briarproject.org/briar/briar-spec). - - Briar supports perfect forward secrecy by using the Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) and [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol. -website: 'https://briarproject.org' -privacy_policy: 'https://briarproject.org/privacy-policy' -downloads: - - icon: fab fa-android - url: 'https://f-droid.org/packages/org.briarproject.briar.android' - - icon: fab fa-google-play - url: 'https://play.google.com/store/apps/details?id=org.briarproject.briar.android' - - icon: fab fa-git - url: 'https://code.briarproject.org/briar/briar' diff --git a/_data/software/messengers/4_session.yml b/_data/software/messengers/4_session.yml deleted file mode 100644 index 71e99ee4..00000000 --- a/_data/software/messengers/4_session.yml +++ /dev/null @@ -1,34 +0,0 @@ -title: Session -type: Recommendation -logo: /assets/img/messengers/session.svg -labels: 'color==info::icon==fas fa-fw fa-wifi::text==Anonymous Routing::tooltip==Senders and recipients are hidden in the network, no one can know they communicate together.' -description: | - **Session** is an encrypted instant messenger that uses three random [service nodes](https://getsession.org/blog/onion-requests-session-new-message-routing-solution) to route messages anonymously on the [Oxen Network](https://oxen.io). - - Session allows for E2EE in one-to-one or closed rooms that allow up to 100 members. - - Open rooms have no restriction on the number of members, but anyone can join. - - #### Notes - Session does [not](https://getsession.org/blog/session-protocol-technical-information) support forward secrecy. The key pair for each conversation is not rotated. - - #### Technical information - Session was independently [audited](https://getsession.org/session-code-audit/) in 2020. The protocol is described in a [whitepaper](https://arxiv.org/abs/2002.04609). - -website: 'https://getsession.org/' -privacy_policy: 'https://getsession.org/privacy-policy' -downloads: - - icon: fab fa-windows - url: 'https://getsession.org/windows' - - icon: fab fa-apple - url: 'https://getsession.org/mac' - - icon: fab fa-linux - url: 'https://www.getsession.org/linux' - - icon: fab fa-android - url: 'https://fdroid.getsession.org/' - - icon: fab fa-google-play - url: 'https://play.google.com/store/apps/details?id=network.loki.messenger' - - icon: fab fa-app-store-ios - url: 'https://apps.apple.com/app/id1470168868' - - icon: fab fa-github - url: 'https://github.com/oxen-io/session-desktop' diff --git a/_data/software/video-streaming-clients/1_freetube.yml b/_data/software/video-streaming-clients/1_freetube.yml deleted file mode 100644 index 7ed28f0c..00000000 --- a/_data/software/video-streaming-clients/1_freetube.yml +++ /dev/null @@ -1,22 +0,0 @@ -title: FreeTube -type: Recommendation -logo: /assets/img/video-streaming/freetube.svg -description: | - **FreeTube** is a free and open source desktop application for [YouTube](https://youtube.com). When using FreeTube, your subscription list and playlists are saved locally on your device. - - FreeTube also features [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored advertisements. All YouTube advertisements are also blocked by default. - - #### Notes - When using Freetube, your IP address is still known to YouTube, [Invidious](https://instances.invidious.io) and the SponsorBlock instances that you use. Consider using a [VPN](/providers/vpn) or [Tor](https://www.torproject.org) if your [threat model](/threat-modeling) requires hiding your IP address. - -website: 'https://freetubeapp.io' -privacy_policy: 'https://freetubeapp.io/privacy.php' -downloads: - - icon: fab fa-windows - url: 'https://freetubeapp.io/#download' - - icon: fab fa-apple - url: 'https://freetubeapp.io/#download' - - icon: fab fa-linux - url: 'https://freetubeapp.io/#download' - - icon: fab fa-github - url: 'https://github.com/FreeTubeApp/FreeTube/' diff --git a/_data/software/video-streaming-clients/2_lbry.yml b/_data/software/video-streaming-clients/2_lbry.yml deleted file mode 100644 index 5cea56b7..00000000 --- a/_data/software/video-streaming-clients/2_lbry.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: LBRY -type: Recommendation -logo: /assets/img/video-streaming/lbry.svg -description: | - **The LBRY network** is a decentralized video sharing network. It uses a [BitTorrent](https://wikipedia.org/wiki/BitTorrent)-like network to store the video content, and a [blockchain](https://wikipedia.org/wiki/Blockchain) to store the indexes for those videos. The main benefit of this design is censorship resistance. - - **The LBRY desktop client** helps you stream videos from the LBRY network and stores your subscription list in your own LBRY wallet. - - #### Notes - We recommend **against** synchronizing your wallet with LBRY Inc., as synchronizing encrypted wallets is not supported yet. If you synchronize your wallet with LBRY Inc., you have to trust them to not look at your subscription list, [LBC](https://lbry.com/faq/earn-credits) funds, or take control of your channel. - - Only the **LBRY desktop client** is recommended. The [Odysee](https://odysee.com) website and the LBRY clients in F-Droid, Play Store, and the AppStore have mandatory synchronization and telemetry. - - While watching and hosting videos, your IP address is visible to the LBRY network. Consider using a [VPN](/providers/vpn) or [Tor](https://www.torproject.org) if your [threat model](/threat-modeling) requires hiding your IP address. - - You can also disable *Save hosting data to help the LBRY network* option (⚙️ Settings → Advanced Settings) to avoid exposing your IP address and watched videos when using LBRY for a prolonged period of time. - -website: 'https://lbry.com/' -privacy_policy: 'https://lbry.com/privacypolicy' -downloads: - - icon: fab fa-windows - url: 'https://lbry.com/get' - - icon: fab fa-apple - url: 'https://lbry.com/osx' - - icon: fab fa-linux - url: 'https://lbry.com/linux' - - icon: fab fa-github - url: 'https://github.com/lbryio' diff --git a/_data/software/video-streaming-clients/3_newpipe.yml b/_data/software/video-streaming-clients/3_newpipe.yml deleted file mode 100644 index 2c7170f5..00000000 --- a/_data/software/video-streaming-clients/3_newpipe.yml +++ /dev/null @@ -1,16 +0,0 @@ -title: NewPipe -type: Recommendation -logo: /assets/img/video-streaming/newpipe.svg -description: | - **NewPipe** is a free and open source Android application for [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [FramaTube](https://framatube.org), and [Bandcamp](https://bandcamp.com). - Your subscription list and playlists are saved locally on your Android device. - - #### Notes - NewPipe is available on the main [F-Droid](https://www.f-droid.org)'s repository. We recommend that you use the NewPipe's own [F-Droid repository](https://newpipe.net/FAQ/tutorials/install-add-fdroid-repo) instead to get faster updates. -website: 'https://newpipe.net' -privacy_policy: 'https://newpipe.net/legal/privacy' -downloads: - - icon: fab fa-android - url: 'https://newpipe.net/FAQ/tutorials/install-add-fdroid-repo' - - icon: fab fa-github - url: 'https://github.com/TeamNewPipe/NewPipe' diff --git a/_data/software/video-streaming-clients/4_newpipe-x-sponsorblock.yml b/_data/software/video-streaming-clients/4_newpipe-x-sponsorblock.yml deleted file mode 100644 index 62cc0e7b..00000000 --- a/_data/software/video-streaming-clients/4_newpipe-x-sponsorblock.yml +++ /dev/null @@ -1,14 +0,0 @@ -title: NewPipe x SponsorBlock -type: Recommendation -logo: /assets/img/video-streaming/newpipe.svg -description: | - **NewPipe x SponsorBlock** is a fork of [NewPipe](https://newpipe.net) with [SponsorBlock](https://sponsor.ajay.app) integrated to help you skip sponsored advertisements. - It also has some experimental settings such as the ability to use the built-in player for local playback, an option to force fullscreen on landscape mode, and an option to disable error reporting prompts. - - #### Notes - This fork is not endorsed by or affiliated with the upstream project. The NewPipe team has [rejected](https://github.com/TeamNewPipe/NewPipe/pull/3205) integration with SponsorBlock and thus this fork is created to provide this functionality. -downloads: - - icon: fab fa-android - url: 'https://apt.izzysoft.de/fdroid/index/apk/org.polymorphicshade.newpipe' - - icon: fab fa-github - url: 'https://github.com/polymorphicshade/NewPipe' diff --git a/_data/software/video-streaming-front-ends/1_invidious.yml b/_data/software/video-streaming-front-ends/1_invidious.yml deleted file mode 100644 index 2adf1882..00000000 --- a/_data/software/video-streaming-front-ends/1_invidious.yml +++ /dev/null @@ -1,23 +0,0 @@ -title: Invidious -type: Recommendation -logo: /assets/img/video-streaming/invidious.svg -logo_dark: /assets/img/video-streaming/invidious-dark.svg -description: | - **Invidious** is a free and open source front end for YouTube that is also self-hostable. There are list of [public instances](https://instances.invidious.io). Some instances have [Tor](https://www.torproject.org) onion services support. - - #### Use case - Invidious is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security setting. It does not provide privacy by itself and we don’t recommend logging into any accounts. - - #### Notes - Invidious does not proxy the video stream through its server by default. Videos watched through Invidious will still make direct connections to Google's servers (googlevideo.com); however, some instances support video proxying. This can be enabled by adding `&local=true` to the URL. - - When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Invidious, as other peoples' usage will be linked to your hosting. - - When you are using an Invidious instance, be sure to go read the Privacy Policy of that specific instance. Invidious instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII (Personally Identifiable Information). - -website: 'https://invidious.io' -downloads: - - icon: fas fa-globe-americas - url: 'https://instances.invidious.io' - - icon: fab fa-github - url: 'https://github.com/iv-org/invidious' diff --git a/_data/software/video-streaming-front-ends/2_piped.yml b/_data/software/video-streaming-front-ends/2_piped.yml deleted file mode 100644 index fad73cc0..00000000 --- a/_data/software/video-streaming-front-ends/2_piped.yml +++ /dev/null @@ -1,22 +0,0 @@ -title: Piped -type: Recommendation -logo: /assets/img/video-streaming/piped.svg -description: | - **Piped** is a free and open source front end for YouTube that is also self-hostable. Alternative instances can be selected from "Preferences". - - #### Use case - Piped is useful if you want to use [SponsorBlock](https://sponsor.ajay.app) without installing an extension or to access age-restricted content without an account. It does not provide privacy by itself and we don’t recommend logging into any accounts. - - #### Notes - When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Piped, as other peoples' usage will be linked to your hosting. - - When you are using a Piped instance, be sure to go read the Privacy Policy of that specific instance. Piped instances can be modified by their owners and therefore may not reflect their associated privacy policy. - - Piped requires javascript in order to function. - -website: 'https://piped.kavin.rocks/' -downloads: - - icon: fas fa-globe-americas - url: 'https://piped.kavin.rocks' - - icon: fab fa-github - url: 'https://github.com/TeamPiped/Piped' diff --git a/_includes/badge.html b/_includes/badge.html deleted file mode 100644 index 71b553e2..00000000 --- a/_includes/badge.html +++ /dev/null @@ -1,21 +0,0 @@ -{% if include.link %} - {{ include.text }} -{% else %}> {{ include.text }} -{% endif %} - -{% else %} - {{include.text}} - {% else %} - > {% if include.icon %}{% endif %} {{include.text}} - {% endif %} - -{% endif %} diff --git a/_includes/blog-card.html b/_includes/blog-card.html deleted file mode 100644 index 277548b0..00000000 --- a/_includes/blog-card.html +++ /dev/null @@ -1,11 +0,0 @@ -
- -
-
-

{{ post.title }}

-

{{ post.excerpt }} Continue Reading...

-

{% for author in page.author %}{{ author }}{% unless forloop.last %}, {% endunless %}{% endfor %} - {{ post.date | date: "%b %-d, %Y" }}

-
-
- -
diff --git a/_includes/card.html b/_includes/card.html deleted file mode 100644 index 85ae7447..00000000 --- a/_includes/card.html +++ /dev/null @@ -1,5 +0,0 @@ -
-
- {{ include.content | default: markdown_text | markdownify }} -
-
diff --git a/_includes/country.html b/_includes/country.html deleted file mode 100644 index 032250f7..00000000 --- a/_includes/country.html +++ /dev/null @@ -1 +0,0 @@ - {{ site.data.country[include.cc] | escape }} diff --git a/_includes/footer.html b/_includes/footer.html deleted file mode 100644 index 60e6ac94..00000000 --- a/_includes/footer.html +++ /dev/null @@ -1,5 +0,0 @@ -

Privacy Guides is a socially motivated website that provides information for protecting your data security and privacy.

- -

Unless otherwise noted, the original content on this website is made available under a CC0 1.0 Universal Public Domain Dedication. - -

This content was made available by the Privacy Guides team and contributors. Get involved! | Open an Issue | Privacy Policy | Website Terms & Notices

diff --git a/_includes/head.html b/_includes/head.html deleted file mode 100644 index a8eb18b3..00000000 --- a/_includes/head.html +++ /dev/null @@ -1,49 +0,0 @@ - - - - - - - - - - - {% if page.title %} - {{ page.title }} | {{ site.title }} - - {% else %} - {{ site.title }}{%if page.url == "/" %} — Your Central Privacy and Security Resource{% endif %} - - {% endif %} - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/_includes/hr.html b/_includes/hr.html deleted file mode 100644 index 7198ab1e..00000000 --- a/_includes/hr.html +++ /dev/null @@ -1 +0,0 @@ -
diff --git a/_includes/legacy/card.html b/_includes/legacy/card.html deleted file mode 100644 index 2bf2da24..00000000 --- a/_includes/legacy/card.html +++ /dev/null @@ -1,76 +0,0 @@ -
-
- {% if include.color == "warning" %} -
- {% else %} -
- {% endif %} -

{{include.title}}

-
-
- {% if include.labels %} - {% assign labels = include.labels | replace:", ", "," | split:"," %} -
- {% for label in labels %} - {% assign label_data = label | split:";" %} - {% assign color = label_data[0] %} - {% assign text = label_data[1] %} - {% assign tooltip = label_data[2] | default: "" %} - {% assign help_icon = '' %} - {{text}} {{ help_icon - }} - {% else %} - >{{text}} - {% endif %} - - {% endfor %} -
- {% endif %} -

- {% if include.image %} - {{include.title}} - {% elsif include.icon %} - - {% elsif include.font %} - - {% endif %} - {{include.description}} -

-
-

- {% if include.url %} - - {% if include.website %} - {{include.website}} - {% else %} - {{ include.url | remove: "https://" | remove: "http://" | remove: "www." | remove: "/" | remove: "github.com" }} - {% endif %} - - {% elsif include.page %} - - {% if include.moretext %} - {{include.moretext}} - {% else %} - Learn More - {% endif %} - - {% endif %} - {% if include.tor %} - Tor - {% endif %} - - {% if include.git %} - Git - {% endif %} - - {% if include.extra_button %} - {{include.extra_button}} - {% endif %} -

- {% if include.footer %} -

{{include.footer}}

- {% endif %} -
-
-
-
diff --git a/_includes/legacy/cardv2.html b/_includes/legacy/cardv2.html deleted file mode 100644 index 219889ec..00000000 --- a/_includes/legacy/cardv2.html +++ /dev/null @@ -1,324 +0,0 @@ -
-
-

- {% if include.badges %} - {{ include.title }} - {% assign badges = include.badges | split:"|" %} - {% for badge in badges %} - {% assign badge_data = badge | split:":" %} - {% assign color = badge_data[0] %} - {% assign text = badge_data[1] %} - {% assign tooltip = badge_data[2] | default: false %} - {% assign help_icon = '' %} - {{text}} {{ help_icon }} - {% else %} - > {{text}} - {% endif %} - - {% endfor %} - {% else %} - {{ include.title }} - {% endif %} -

-
-
-

- - {% if include.image-dark %} - {% endif %} - {{include.title}} logo - - {{ include.description }} - {% if include.labels %} - {% assign labels = include.labels | split:"|" %} - {% for label in labels %} - {% assign label_data = label | split:"::" %} - {% for label_attr in label_data %} - {% assign attr = label_attr | split:"==" %} - {% if attr[0] == "color" %} - {% assign color = attr[1] %} - {% elsif attr[0] == "link" %} - {% assign link = attr[1] %} - {% elsif attr[0] == "text" %} - {% assign text = attr[1] %} - {% elsif attr[0] == "icon" %} - {% assign icon = attr[1] %} - {% elsif attr[0] == "tooltip" %} - {% assign tooltip = attr[1] %} - {% endif %} - {% endfor %} - {% include badge.html - link=link - color=color - text=text - icon=icon - tooltip=tooltip - %} - {% assign color = nil %} - {% assign link = nil %} - {% assign text = nil %} - {% assign icon = nil %} - {% assign tooltip = nil %} - {% endfor %} - {% endif %} -

-
-
- - - Website - - {% if include.privacy-policy %} - - - Privacy Policy - - {% endif %} - {% if include.tor %} - - - - {% endif %} - {% if include.i2p %} - - - - {% endif %} -
- -
- {% if include.windows %} - {% if include.windows != "" %} - - - - {% else %} - - {% endif %} - {% endif %} - - {% if include.mac %} - {% if include.mac != "" %} - - - - {% else %} - - {% endif %} - {% endif %} - - {% if include.linux %} - {% if include.linux != "" %} - - - - {% else %} - - {% endif %} - {% endif %} - - {% if include.freebsd %} - {% if include.freebsd != "" %} - - - - {% else %} - - {% endif %} - {% endif %} - - {% if include.openbsd %} - {% if include.openbsd != "" %} - - - - {% else %} - - {% endif %} - {% endif %} - - {% if include.netbsd %} - {% if include.netbsd != "" %} - - - - {% else %} - - {% endif %} - {% endif %} - - {% if include.firefox %} - {% if include.firefox != "" %} - - - - {% else %} - - {% endif %} - {% endif %} - - {% if include.chrome %} - {% if include.chrome != "" %} - - - - {% else %} - - {% endif %} - {% endif %} - - {% if include.safari %} - {% if include.safari != "" %} - - - - {% else %} - - {% endif %} - {% endif %} - - {% if include.opera %} - {% if include.opera != "" %} - - - - {% else %} - - {% endif %} - {% endif %} - - {% if include.edge %} - {% if include.edge != "" %} - - - - {% else %} - - {% endif %} - {% endif %} - - {% if include.fdroid %} - {% if include.fdroid != "" %} - - - - {% else %} - - {% endif %} - {% endif %} - - {% if include.googleplay %} - {% if include.googleplay != "" %} - - - - {% else %} - - {% endif %} - {% endif %} - - {% if include.android %} - {% if include.android != "" %} - - - - {% else %} - - {% endif %} - {% endif %} - - {% if include.ios %} - {% if include.ios != "" %} - - - - {% else %} - - {% endif %} - {% endif %} - - {% if include.sailfish %} - {% if include.sailfish != "" %} - - - - {% else %} - - {% endif %} - {% endif %} - - {% if include.web %} - {% if include.web != "" %} - - - - {% else %} - - {% endif %} - {% endif %} - - {{include.icon1}} - {{include.icon2}} - {{include.icon3}} - - {% if include.github %} - - - - {% endif %} - - {% if include.gitlab %} - - - - {% endif %} - - {% if include.git %} - - - - {% endif %} - - {% if include.source %} - - - - {% endif %} - -
-
-
-
-
diff --git a/_includes/legacy/panel.html b/_includes/legacy/panel.html deleted file mode 100644 index ed21ee28..00000000 --- a/_includes/legacy/panel.html +++ /dev/null @@ -1,14 +0,0 @@ -
-
- {% if include.color == "warning" %} -
- {% else %} -
- {% endif %} -

{{include.title}}

-
-
- {{include.body}} -
-
-
diff --git a/_includes/legacy/sections/calendar-contacts-sync.html b/_includes/legacy/sections/calendar-contacts-sync.html deleted file mode 100644 index f73d0b3c..00000000 --- a/_includes/legacy/sections/calendar-contacts-sync.html +++ /dev/null @@ -1,59 +0,0 @@ -

Calendar and Contacts Sync

- - - -{% - include legacy/cardv2.html - title="Nextcloud" - image="/assets/img/legacy_svg/3rd-party/nextcloud.svg" - description="Nextcloud is a suite of client-server software for creating and using file hosting services. This includes calendar sync via CalDAV and contacts sync via CardDAV. Nextcloud is free and open-source, thereby allowing anyone to install and operate it without charge on a private server." - website="https://nextcloud.com/" - privacy-policy="https://nextcloud.com/privacy/" - github="https://github.com/nextcloud" - windows="https://nextcloud.com/install/" - linux="https://nextcloud.com/install/" - mac="https://nextcloud.com/install/" - freebsd="https://www.freshports.org/deskutils/nextcloudclient/" - openbsd="http://openports.se/www/nextcloud" - netbsd="http://pkgsrc.se/www/php-nextcloud" - android="https://nextcloud.com/install/" - ios="https://nextcloud.com/install/" -%} - -{% - include legacy/cardv2.html - title="EteSync" - image="/assets/img/legacy_svg/3rd-party/etesync.svg" - description="EteSync is a secure, end-to-end encrypted, and privacy-respecting cloud backup and synchronization software for your personal information (e.g. contacts and calendars). There are native clients for Android, iOS, and the web, and an adapter layer for most desktop clients. It costs $24 per year to use, or you can host the server yourself for free." - website="https://www.etesync.com/" - privacy-policy="https://www.etesync.com/tos/#privacy" - github="https://github.com/etesync" - web="https://client.etesync.com/" - windows="https://github.com/etesync/etesync-dav/releases/latest" - mac="https://github.com/etesync/etesync-dav/releases/latest" - linux="https://github.com/etesync/etesync-dav/releases/latest" - freebsd="https://github.com/etesync/etesync-dav/blob/master/README.md#installation" - openbsd="https://github.com/etesync/etesync-dav/blob/master/README.md#installation" - netbsd="https://github.com/etesync/etesync-dav/blob/master/README.md#installation" - fdroid="https://f-droid.org/packages/com.etesync.syncadapter/" - googleplay="https://play.google.com/store/apps/details?id=com.etesync.syncadapter" - ios="https://apps.apple.com/app/id1489574285" -%} - -{% - include legacy/cardv2.html - title="Email Providers" - image="/assets/img/legacy_svg/layout/email.svg" - description='Many email providers also offer calendar and or contacts sync services. Refer to our Email Provider recommendations to choose an email provider and see if they also offer calendar and/or contacts sync.' - website="/providers/email" -%} - -

Worth Mentioning

- -
    -
  • - DecSync - DecSync can be used to synchronize RSS, contacts, and calendars without a server by using file synchronization software such as Syncthing. -
    • -
diff --git a/_includes/legacy/sections/email-clients.html b/_includes/legacy/sections/email-clients.html deleted file mode 100644 index d7f2f928..00000000 --- a/_includes/legacy/sections/email-clients.html +++ /dev/null @@ -1,72 +0,0 @@ -

Desktop Email Clients

- -{% include legacy/cardv2.html - title="Thunderbird" - image="/assets/img/legacy_svg/3rd-party/thunderbird.svg" - description="Thunderbird is a free, open source, cross-platform email, newsgroup, news feed, and chat (XMPP, IRC, Twitter) client developed by the Thunderbird community, and previously by the Mozilla Foundation." - website="https://www.thunderbird.net/" - privacy-policy="https://www.mozilla.org/privacy/thunderbird/" - source="https://hg.mozilla.org/comm-central/" - windows="https://www.thunderbird.net" - mac="https://www.thunderbird.net" - linux="https://www.thunderbird.net/" - freebsd="https://www.freshports.org/mail/thunderbird/" - openbsd="http://openports.se/mail/mozilla-thunderbird" - netbsd="http://pkgsrc.se/mail/thunderbird" -%} - -{% include legacy/cardv2.html - title="Mailvelope" - image="/assets/img/legacy_svg/3rd-party/mailvelope.svg" - description="Mailvelope is a browser extension that enables the exchange of encrypted emails following the OpenPGP encryption standard." - website="https://www.mailvelope.com/en" - privacy-policy="https://www.mailvelope.com/en/privacy-policy" - github="https://github.com/mailvelope/mailvelope" - firefox="https://addons.mozilla.org/firefox/addon/mailvelope/" - chrome="https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke?hl" - edge="https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc" -%} - -

Worth Mentioning

- -
    -
  • NeoMutt - NeoMutt is an open-source command line mail reader (or MUA) for Linux and BSD. It’s a fork of Mutt with added features. -
- -

Mobile Email Clients

- -

Android Email Clients

- -{% include legacy/cardv2.html - title="FairEmail" - image="/assets/img/legacy_svg/3rd-party/fairemail.svg" - description="FairEmail is a minimal, open source email app, using open standards (IMAP, SMTP, OpenPGP) with a low data and battery usage." - website="https://email.faircode.eu/" - privacy-policy="https://github.com/M66B/FairEmail/blob/master/PRIVACY.md" - github="https://github.com/M66B/FairEmail" - fdroid="https://f-droid.org/en/packages/eu.faircode.email/" - googleplay="https://play.google.com/store/apps/details?id=eu.faircode.email" -%} - -{% include legacy/cardv2.html - title="K-9 Mail" - image="/assets/img/legacy_svg/3rd-party/k9mail.svg" - description="K-9 Mail is an independent mail application that supports both POP3 and IMAP mailboxes, but only supports push mail for IMAP." - website="https://k9mail.app/" - privacy-policy="https://k9mail.app/privacy" - github="https://github.com/k9mail" - fdroid="https://f-droid.org/packages/com.fsck.k9/" - googleplay="https://play.google.com/store/apps/details?id=com.fsck.k9" -%} - -

iOS Email Clients

- -{% include legacy/cardv2.html - title="Canary Mail" - image="/assets/img/legacy_svg/3rd-party/canarymail.svg" - labels="color==warning::link==https://canarymail.io/faq.html::text==Closed source::tooltip==The source programming code for Canary Mail is not available. Canary Mail is a proprietary application." - description="Canary Mail is a paid email client designed to make end-to-end encryption seamless with security features such as a biometric app lock." - website="https://canarymail.io/" - privacy-policy="https://canarymail.io/privacy.html" - ios="https://apps.apple.com/app/id1236045954" -%} diff --git a/_includes/legacy/sections/email-providers.html b/_includes/legacy/sections/email-providers.html deleted file mode 100644 index 69e11ef4..00000000 --- a/_includes/legacy/sections/email-providers.html +++ /dev/null @@ -1,241 +0,0 @@ -

Recommended Email Services

- - - -
- -
-
- ProtonMail -
-
-

ProtonMail {% include badge.html color="info" text="Free" %}

-

ProtonMail.com is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since 2013. ProtonMail is based in Genève, Switzerland. Accounts start with 500 MB storage with their free plan.

- -

Free accounts have some limitations, such as not being able to search body text and not having access to ProtonMail Bridge, which is required to use a recommended desktop email client (e.g. Thunderbird). Paid accounts are available starting at €48/y which include features like ProtonMail Bridge, additional storage, and custom domain support.

- -
{% include badge.html color="success" text="Domains and Aliases" %}
-

Paid ProtonMail users can use their own domain with the service. Catch-all addresses are supported with custom domains for Professional and Visionary plans. ProtonMail also supports subaddressing, which is useful for users who don't want to purchase a domain.

- -
{% include badge.html color="success" text="Payment Methods" %}
-

ProtonMail accepts Bitcoin in addition to accepting credit/debit cards and PayPal.

- -
{% include badge.html color="success" text="Account Security" %}
-

ProtonMail supports TOTP two factor authentication only. The use of a U2F security key is not yet supported. ProtonMail is planning to implement U2F upon completion of their Single Sign On (SSO) code.

- -
{% include badge.html color="success" text="Data Security" %}
-

ProtonMail has zero access encryption at rest for your emails, address book contacts, and calendars. This means the messages and other data stored in your account are only readable by you.

- -
{% include badge.html color="success" text="Email Encryption" %}
-

ProtonMail has integrated OpenPGP encryption in their webmail. Emails to other ProtonMail users are encrypted automatically, and encryption to non-ProtonMail users with an OpenPGP key can be enabled easily in your account settings. They also allow you to encrypt messages to non-ProtonMail users without the need for them to sign up for a ProtonMail account or use software like OpenPGP.

-

ProtonMail also supports the discovery of public keys via HTTP from their Web Key Directory (WKD). This allows users outside of ProtonMail to find the OpenPGP keys of ProtonMail users easily, for cross-provider E2EE.

- -
{% include badge.html color="success" text=".onion Service" %}
-

ProtonMail's login and services are accessible over Tor, protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion

- -
{% include badge.html color="info" text="Extra Functionality" %}
-

ProtonMail offers a "Visionary" account for €24/Month, which also enables access to ProtonVPN in addition to providing multiple accounts, domains, aliases, and extra storage.

-
-
-
-
- Mailbox -
-
-

Mailbox.org {% include badge.html color="info" text="€12/y" %}

-

Mailbox.org is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with 2 GB of storage, which can be upgraded as needed.

- -
{% include badge.html color="success" text="Domains and Aliases" %}
-

Mailbox.org lets users use their own domain and they support catch-all addresses. Mailbox.org also supports subaddressing, which is useful for users who don't want to purchase a domain.

- -
{% include badge.html color="warning" text="Payment Methods" %}
-

Mailbox.org doesn't accept Bitcoin or any other cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept Cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and couple of German-specific processors: paydirekt and Sofortüberweisung.

- -
{% include badge.html color="success" text="Account Security" %}
-

Mailbox.org supports two factor authentication for their webmail only. You can use either TOTP or a Yubikey via the Yubicloud. Web standards such as U2F and WebAuthn are not yet supported.

- -
{% include badge.html color="warning" text="Data Security" %}
-

Mailbox.org allows for encryption of incoming mail using their encrypted mailbox. New messages that you receive will then be immediately encrypted with your public key.

-

However, Open-Exchange, the software platform used by Mailbox.org, does not support the encryption of your address book and calendar. A standalone option may be more appropriate for that information.

- -
{% include badge.html color="success" text="Email Encryption" %}
-

Mailbox.org has integrated encryption in their webmail, which simplifies sending messages to users with public OpenPGP keys. They also allow remote recipients to decrypt an email on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox.

-

Mailbox.org also supports the discovery of public keys via HTTP from their Web Key Directory (WKD). This allows users outside of Mailbox.org to find the OpenPGP keys of Mailbox.org users easily, for cross-provider E2EE.

- -
{% include badge.html color="warning" text=".onion Service" %}
-

You can access your Mailbox.org account via IMAP/SMTP using their .onion service. However, their webmail interface cannot be accessed via their .onion service, and users may experience TLS certificate errors.

- -
{% include badge.html color="info" text="Extra Functionality" %}
-

All accounts come with limited cloud storage that can be encrypted. Mailbox.org also offers the alias @secure.mailbox.org, which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports Exchange ActiveSync in addition to standard access protocols like IMAP and POP3.

-
-
-
-
- Disroot -
-
-

Disroot {% include badge.html color="info" text="Free" %}

-

Disroot offers email amongst other services. The service is maintained by volunteers and its community. They have been in operation since 2015. Disroot is based in Amsterdam. Disroot is free and uses open source software such as Rainloop to provide service. Users support the service through donations and buying extra storage. The mailbox limit is 1 GB, but extra storage can be purchased 0.15€ per GB per month paid yearly.

- -
{% include badge.html color="success" text="Domains and Aliases" %}
-

Disroot lets users use their own domain. They have aliases, however you must manually apply for them.

- -
{% include badge.html color="success" text="Payment Methods" %}
-

Disroot accepts Bitcoin and Faircoin as payment methods. They also accept PayPal, direct bank deposit, and Patreon payments. Disroot is a not-for-profit organization that also accepts donations through Liberapay, Flattr, and Monero, but these payment methods cannot be used to purchase services.

- -
{% include badge.html color="success" text="Account Security" %}
-

Disroot supports TOTP two factor authentication for webmail only. They do not allow U2F security key authentication.

- -
{% include badge.html color="warning" text="Data Security" %}
-

Disroot uses full disk encryption. However, it doesn't appear to be "zero access", meaning it is technically possible for them to decrypt the data they have.

-

Disroot also uses the standard CalDAV and CardDAV protocols for calendars and contacts, which do not support E2EE. A standalone option may be more appropriate.

- -
{% include badge.html color="success" text="Email Encryption" %}
-

Disroot allows for encrypted emails to be sent from their webmail application using OpenPGP. However, Disroot has not integrated a Web Key Directory (WKD) for users on their platform.

- -
{% include badge.html color="danger" text=".onion Service" %}
-

Disroot does not operate a .onion service.

- -
{% include badge.html color="info" text="Extra Functionality" %}
-

They offer other services such as NextCloud, XMPP Chat, Etherpad, Ethercalc, Pastebin, Online polls and a Gitea instance. They also have an app available in F-Droid.

-
-
-
-
- Tutanota -
-
-

Tutanota {% include badge.html color="info" text="Free" %}

-

Tutanota.com is an email service with a focus on security and privacy through the use of encryption. Tutanota has been in operation since 2011 and is based in Hanover, Germany. Accounts start with 1GB storage with their free plan.

-

Tutanota doesn't allow the use of third-party email clients. Tutanota has no plans pull email from external email accounts using the IMAP protocol. Email import is currently not possible.

-

Emails can be exported individually or by bulk selection. Tutanota does not allow for subfolders as you might expect with other email providers.

-

Tutanota is working on a desktop client and they have an app available in F-Droid. They also have their app in conventional stores such as App Store on iOS and Google Play for Android.

- -
{% include badge.html color="success" text="Domains and Aliases" %}
-

Paid Tutanota accounts can use up to 5 aliases and custom domains. Tutanota doesn't allow for subaddressing (plus addresses), but you can use a catch-all with a custom domain.

- -
{% include badge.html color="warning" text="Payment Methods" %}
-

Tutanota only directly accepts credit cards and PayPal, however Bitcoin and Monero can be used to purchase gift cards via their partnership with Proxystore.

- -
{% include badge.html color="success" text="Account Security" %}
-

Tutanota supports two factor authentication. Users can either use TOTP or U2F. U2F support is not yet available on Android.

- -
{% include badge.html color="success" text="Data Security" %}
-

Tutanota has zero access encryption at rest for your emails, address book contacts, and calendars. This means the messages and other data stored in your account are only readable by you.

- -
{% include badge.html color="warning" text="Email Encryption" %}
-

Tutanota does not use OpenPGP. Tutanota users can only receive encrypted emails when external users send them through a temporary Tutanota mailbox.

-

Tutanota does have plans to support AutoCrypt. This would allow for external users to send encrypted emails to Tutanota users as long as their email client supports the AutoCrypt headers.

- -
{% include badge.html color="danger" text=".onion Service" %}
-

Tutanota does not operate a .onion service but may consider it in the future.

- -
{% include badge.html color="info" text="Extra Functionality" %}
-

Tutanota offers the business version of Tutanota to non-profit organizations for free or with a heavy discount.

- -

Tutanota also has a business feature called Secure Connect. This ensures customer contact to the business uses E2EE. The feature costs €240/y.

-
-
-
-
- StartMail -
-
-

StartMail {% include badge.html color="info" text="Personal USD $59.95/y" %}

-

StartMail.com is an email service with a focus on security and privacy through the use of standard OpenPGP encryption. StartMail has been in operation since 2014 and is based in Boulevard 11, Zeist Netherlands. Accounts start with 10GB. They offer a 30-day trial.

- -
{% include badge.html color="success" text="Domains and Aliases" %}
-

Personal accounts can use Custom or Quick aliases. Custom domains are also available.

- -
{% include badge.html color="warning" text="Payment Methods" %}
-

StartMail accepts Visa, MasterCard, American Express and Paypal. StartMail also has other payment options such as Bitcoin (currently only for Personal accounts) and SEPA Direct Debit for accounts older than a year.

- -
{% include badge.html color="success" text="Account Security" %}
-

StartMail supports TOTP two factor authentication for webmail only. They do not allow U2F security key authentication.

- -
{% include badge.html color="warning" text="Data Security" %}
-

StartMail has zero access encryption at rest, using their "user vault" system. When a user logs in, the vault is opened, and the email is then moved to the vault out of the queue where it is decrypted by the corresponding private key.

- -

StartMail supports importing contacts however, they are only accessible in the webmail and not through protocols such as CalDAV. Contacts are also not stored using zero knowledge encryption, so a standalone option may be more appropriate.

- -
{% include badge.html color="success" text="Email Encryption" %}
-

StartMail has integrated encryption in their webmail, which simplifies sending messages to users with public OpenPGP keys.

- -
{% include badge.html color="danger" text=".onion Service" %}
-

StartMail does not operate a .onion service.

- -
{% include badge.html color="info" text="Extra Functionality" %}
-

StartMail allows for proxying of images within emails. If a user allows the remote image to be loaded, the sender won't know what the user's IP address is.

-
-
-
-
- CTemplar -
-
-

CTemplar {% include badge.html color="info" text="Prime USD $96/y" %}

-

CTemplar is an email service with a focus on security and privacy through the use of standard OpenPGP encryption. CTemplar has been in operation since 2018 and is run from Iceland. Paid accounts start with 5GB. They offer free accounts by invitation.

- -
{% include badge.html color="success" text="Domains and Aliases" %}
-

Paid accounts can use Custom Domains and aliases.

- -
{% include badge.html color="success" text="Payment Methods" %}
-

CTemplar payment options include Credit cards via Stripe, Bitcoin and Monero.

- -
{% include badge.html color="success" text="Account Security" %}
-

CTemplar supports TOTP two factor authentication for webmail only. They do not allow U2F security key authentication.

- -
{% include badge.html color="success" text="Data Security" %}
-

CTemplar has zero access encryption at rest, using PGP. They support protected headers and therefore there is subject encryption.

- -

CTemplar supports importing contacts and contacts are encrypted at rest however, they are only accessible in the webmail and apps.

- -
{% include badge.html color="success" text="Email Encryption" %}
-

CTemplar has integrated encryption in their webmail, which simplifies sending messages to users with public OpenPGP keys.

- -
{% include badge.html color="warning" text=".onion Service" %}
-

CTemplar's .onion service ctemplarpizuduxk3fkwrieizstx33kg5chlvrh37nz73pv5smsvl6ad.onion is currently disabled for webmail access, due to a Tor Browser bug.

- -
{% include badge.html color="info" text="Extra Functionality" %}
-

CTemplar has a dead man timer feature that will automatically send a specific message that you've set after a given period of time.

-

CTemplar also has a feature that allows users verify checksums of production pages with a public copy on Github.

-

Electron clients exist for Windows, Mac and Linux. Official clients also exist for iOS and Android (including F-Droid.) All of these clients are open source.

-
-
-
diff --git a/_includes/legacy/sections/email-warning.html b/_includes/legacy/sections/email-warning.html deleted file mode 100644 index 105ac238..00000000 --- a/_includes/legacy/sections/email-warning.html +++ /dev/null @@ -1,10 +0,0 @@ - -
-
Warning
-
-

When using end-to-end encryption (E2EE) technology like OpenPGP, email will still have some metadata that is not encrypted in the header of the email. Read more about email metadata.

-

OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. How do I protect my private keys?

-

Rather than use email for prolonged conversations, consider using a medium that does support Forward secrecy.

- Recommended Instant Messengers -
-
diff --git a/_includes/legacy/sections/file-encryption.html b/_includes/legacy/sections/file-encryption.html deleted file mode 100644 index aeeba3a0..00000000 --- a/_includes/legacy/sections/file-encryption.html +++ /dev/null @@ -1,44 +0,0 @@ - - -{% - include legacy/cardv2.html - title="VeraCrypt - Disk Encryption" - image="/assets/img/legacy_svg/3rd-party/veracrypt.svg" - image-dark="/assets/img/legacy_svg/3rd-party/veracrypt-dark.svg" - description="VeraCrypt is a source-available freeware utility used for on-the-fly encryption. It can create a virtual encrypted disk within a file or encrypt a partition or the entire storage device with pre-boot authentication. VeraCrypt is a fork of the discontinued TrueCrypt project. It was initially released on June 22, 2013. According to its developers, security improvements have been implemented and issues raised by the initial TrueCrypt code audit have been addressed." - website="https://veracrypt.fr/" - git="https://www.veracrypt.fr/code/" - windows="https://www.veracrypt.fr/en/Downloads.html" - linux="https://www.veracrypt.fr/en/Downloads.html" - mac="https://www.veracrypt.fr/en/Downloads.html" -%} - -{% - include legacy/cardv2.html - title="GNU Privacy Guard - Email Encryption" - image="/assets/img/legacy_svg/3rd-party/gnupg.svg" - description="GnuPG is a GPL-licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with RFC 4880, which is the current IETF standards track specification of OpenPGP. Current versions of PGP (and Veridis' Filecrypt) are interoperable with GnuPG and other OpenPGP-compliant systems. GnuPG is a part of the Free Software Foundation's GNU software project, and has received major funding from the German government." - website="https://gnupg.org/" - privacy-policy="https://gnupg.org/privacy-policy.html" - git="https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git" - windows="https://gpg4win.org/download.html" - linux="https://gnupg.org/download/index.html#binary" - freebsd="https://www.freshports.org/security/gnupg/" - openbsd="http://openports.se/security/gnupg" - netbsd="http://pkgsrc.se/security/gnupg" - mac="https://gpgtools.org/" - fdroid="https://f-droid.org/app/org.sufficientlysecure.keychain" - googleplay="https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain" -%} - -

Worth Mentioning

- -
    -
  • Cryptomator - Free client-side AES encryption for your cloud files. Open source software: No backdoors, no registration.
    • -
  • Linux Unified Key Setup (LUKS) - A full disk encryption system for Linux using dm-crypt as the disk encryption backend. Included by default in Ubuntu. Available for Windows and Linux.
    • -
  • Tomb - A simple zsh script for making LUKS containers on the commandline.
    • -
  • Hat.sh - A web application that provides secure client-side file encryption in your browser. It can also be selfhosted.
    • -
  • Kryptor - Free and open source file encryption software for Windows, macOS, and Linux.
    • -
diff --git a/_includes/legacy/sections/file-sharing.html b/_includes/legacy/sections/file-sharing.html deleted file mode 100644 index 777d31f1..00000000 --- a/_includes/legacy/sections/file-sharing.html +++ /dev/null @@ -1,36 +0,0 @@ -

File Sharing

- -{% include legacy/cardv2.html - title="OnionShare" - image="/assets/img/legacy_svg/3rd-party/onionshare.svg" - website="https://onionshare.org/" - tor="http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion/" - description="OnionShare is an open-source tool that lets you securely and anonymously share a file of any size. It works by starting a web server accessible as a Tor onion service, with an unguessable URL that you can share with the recipients to download or send files." - github="https://github.com/micahflee/onionshare" - windows="https://onionshare.org/#downloads" - mac="https://onionshare.org/#downloads" - linux="https://onionshare.org/#downloads" - freebsd="https://www.freshports.org/www/onionshare/" - openbsd="http://openports.se/net/onionshare" -%} - -{% include legacy/cardv2.html - title="Magic Wormhole" - image="/assets/img/legacy_png/3rd-party/magic_wormhole.png" - website="https://magic-wormhole.readthedocs.io" - description="Magic Wormhole is a package that provides a library and a command-line tool named wormhole, which makes it possible to get arbitrary-sized files and directories (or short pieces of text) from one computer to another. Their motto: \"Get things from one computer to another, safely.\"" - github="https://github.com/warner/magic-wormhole" - windows="https://magic-wormhole.readthedocs.io/en/latest/welcome.html#installation" - mac="https://magic-wormhole.readthedocs.io/en/latest/welcome.html#installation" - linux="https://magic-wormhole.readthedocs.io/en/latest/welcome.html#installation" - freebsd="https://www.freshports.org/net/py-magic-wormhole/" - openbsd="https://pypi.org/project/magic-wormhole/" - netbsd="https://pypi.org/project/magic-wormhole/" -%} - -

Worth Mentioning

- -
    -
  • croc - Easily and securely send arbitrary-sized files from one computer to another. Similar to Magic Wormhole but without dependencies.
    • -
  • FreedomBox - Designed to be your own inexpensive server at home. It runs free software and offers an increasing number of services ranging from a calendar or XMPP server, to a wiki, or VPN.
    • -
diff --git a/_includes/legacy/sections/file-sync.html b/_includes/legacy/sections/file-sync.html deleted file mode 100644 index 3057bb84..00000000 --- a/_includes/legacy/sections/file-sync.html +++ /dev/null @@ -1,26 +0,0 @@ -

- -File Sync -

- -{% - include legacy/cardv2.html - title="Syncthing" - image="/assets/img/legacy_svg/3rd-party/syncthing.svg" - description="Syncthing replaces proprietary sync and cloud services with something open, trustworthy and decentralized. Your data is your data alone and you deserve to choose where it is stored, if it is shared with some third-party, and how it is transmitted over the Internet." - website="https://syncthing.net/" - github="https://github.com/syncthing?type=source" - windows="https://github.com/syncthing/syncthing-gtk/releases/latest" - linux="https://github.com/syncthing/syncthing-gtk/releases/latest" - mac="https://github.com/syncthing/syncthing-macos/releases/latest" - fdroid="https://f-droid.org/packages/com.github.catfriend1.syncthingandroid/" - googleplay="https://play.google.com/store/apps/details?id=com.github.catfriend1.syncthingandroid" -%} - -

Worth Mentioning

- -
    -
  • - git-annex - Allows managing files with git, without checking the file contents into git. While that may seem paradoxical, it is useful when dealing with files larger than git can currently easily handle, whether due to limitations in memory, time, or disk space. -
    • -
diff --git a/_includes/legacy/sections/ios-addons.html b/_includes/legacy/sections/ios-addons.html deleted file mode 100644 index 6b847e24..00000000 --- a/_includes/legacy/sections/ios-addons.html +++ /dev/null @@ -1,15 +0,0 @@ -

iOS Privacy Add-ons

- -
- -
-
- AdGuard -
-
-

Block content in Safari with AdGuard for iOS

-

AdGuard for iOS is a free (and open-source) content-blocking app that allows you to set filters within Safari. As required by iOS, it uses the native Content Blocker API for even greater privacy.

-
-
- -
diff --git a/_includes/legacy/sections/key-disclosure-law.html b/_includes/legacy/sections/key-disclosure-law.html deleted file mode 100644 index e26979a3..00000000 --- a/_includes/legacy/sections/key-disclosure-law.html +++ /dev/null @@ -1,88 +0,0 @@ -

Key Disclosure Law

- -

Who is required to hand over the encryption keys to authorities?

- -

Mandatory key disclosure laws require individuals to turn over encryption keys to law enforcement conducting a criminal investigation. How these laws are implemented (who may be legally compelled to assist) vary from nation to nation, but a warrant is generally required. Defenses against key disclosure laws include steganography and encrypting data in a way that provides plausible deniability.

Steganography involves hiding sensitive information (which may be encrypted) inside of ordinary data (for example, encrypting an image file and then hiding it in an audio file). With plausible deniability, data is encrypted in a way that prevents an adversary from being able to prove that the information they are after exists (for example, one password may decrypt benign data and another password, used on the same file, could decrypt sensitive data).

- -
- - {% include legacy/panel.html color="danger" - title="Key disclosure laws apply" - body=' -
    -
  1. Antigua and Barbuda
    2. -
  2. Australia
    3. -
  3. France
    4. -
  4. India
    5. -
  5. Ireland
    6. -
  6. Norway
    7. -
  7. Russia
    8. -
  8. South Africa
    9. -
  9. United Kingdom
    10. -
- ' - %} - - {% include legacy/panel.html color="danger" - title="Key disclosure laws may apply" - body=' -
    -
  1. Belgium
    2. -
  2. Estonia
    3. -
  3. Finland *
    4. -
  4. New Zealand (unclear)
    5. -
  5. The Netherlands *
    6. -
  6. Sweden (proposed)
    7. -
  7. United States (see related info)
    8. -
- ' - %} - - {% include legacy/panel.html color="secondary" - title="Key disclosure laws don't apply" - body=' -
    -
  1. Canada
    2. -
  2. Czech Republic
    3. -
  3. Germany
    4. -
  4. Iceland
    5. -
  5. Italy
    6. -
  6. Poland
    7. -
  7. Switzerland
    8. -
- ' - %} - -
- -

* People who know how to access a system may be ordered to share their knowledge. However, this doesn't apply to the suspect itself or family members.

- -

Related Information

- - - -

Why is it not recommended to choose a US-based service?

- -USA - -

Services based in the United States are not recommended because of the country's surveillance programs and use of National Security Letters (NSLs) with accompanying gag orders, which forbid the recipient from talking about the request. This combination allows the government to secretly force companies to grant complete access to customer data and transform the service into a tool of mass surveillance.

- -

An example of this is Lavabit – a secure email service created by Ladar Levison. The FBI requested Snowden's records after finding out that he used the service. Since Lavabit did not keep logs and email content was stored encrypted, the FBI served a subpoena (with a gag order) for the service's SSL keys. Having the SSL keys would allow them to access -communications (both metadata and unencrypted content) in real time for all of Lavabit's customers, not just Snowden's.

- -

Ultimately, Levison turned over the SSL keys and shut down the service at the same time. The US government then threatened Levison with arrest, saying that shutting down the service was a violation of the court order.

- -

Related Information

- - diff --git a/_includes/legacy/sections/metadata-removal-tools.html b/_includes/legacy/sections/metadata-removal-tools.html deleted file mode 100644 index 9b64c998..00000000 --- a/_includes/legacy/sections/metadata-removal-tools.html +++ /dev/null @@ -1,26 +0,0 @@ -{% - include legacy/cardv2.html - title="MAT2" - image="/assets/img/legacy_svg/3rd-party/mat2.svg" - description="MAT2 is free software, which allows the removal of metadata of image, audio, torrent, and document file types. It provides both a command line tool and a graphical user interface via an extension for Nautilus, the default file manager of GNOME." - website="https://0xacab.org/jvoisin/mat2" - gitlab="https://0xacab.org/jvoisin/mat2" - windows="https://pypi.org/project/mat2/" - mac="https://pypi.org/project/mat2/" - linux="https://pypi.org/project/mat2/" - freebsd="https://pypi.org/project/mat2/" - openbsd="https://pypi.org/project/mat2/" - netbsd="https://pypi.org/project/mat2/" -%} - -{% - include legacy/cardv2.html - title="ExifCleaner" - image="/assets/img/legacy_svg/3rd-party/exifcleaner.svg" - description='ExifCleaner is a freeware, open source graphical app that uses ExifTool to remove exif metadata from images, videos, and PDF documents using a simple drag and drop interface. It supports multi-core batch processing and dark mode.' - website="https://exifcleaner.com" - github="https://github.com/szTheory/exifcleaner" - windows="https://github.com/szTheory/exifcleaner/releases" - mac="https://github.com/szTheory/exifcleaner/releases" - linux="https://github.com/szTheory/exifcleaner/releases" -%} diff --git a/_includes/legacy/sections/notebooks.html b/_includes/legacy/sections/notebooks.html deleted file mode 100644 index 907791ba..00000000 --- a/_includes/legacy/sections/notebooks.html +++ /dev/null @@ -1,52 +0,0 @@ -

Digital Notebook

- - - -{% include legacy/cardv2.html - title="Joplin" - image="/assets/img/legacy_svg/3rd-party/joplin.svg" - description="Joplin is a free, open-source, and fully-featured note-taking and to-do application which can handle a large number of markdown notes organized into notebooks and tags. It offers end-to-end encryption and can sync through Nextcloud, Dropbox, and more. It also offers easy import from Evernote and plain-text notes." - website="https://joplinapp.org/" - privacy-policy="https://joplinapp.org/privacy/" - github="https://github.com/laurent22/joplin" - windows="https://joplinapp.org/#desktop-applications" - mac="https://joplinapp.org/#desktop-applications" - linux="https://joplinapp.org/#desktop-applications" - freebsd="https://www.npmjs.com/package/joplin" - googleplay="https://play.google.com/store/apps/details?id=net.cozic.joplin" - android="https://joplinapp.org/#mobile-applications" - ios="https://apps.apple.com/app/id1315599797" - firefox="https://addons.mozilla.org/en-US/firefox/addon/joplin-web-clipper/" - chrome="https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek" -%} - -{% include legacy/cardv2.html - title="Standard Notes" - image="/assets/img/legacy_svg/3rd-party/standard_notes.svg" - description='Standard Notes is a simple and private notes app that makes your notes easy and available everywhere you are. It features end-to-end encryption on every platform, and a powerful desktop experience with themes and custom editors. It has also been independently audited (PDF).' - website="https://standardnotes.org/" - privacy-policy="https://standardnotes.org/privacy" - github="https://github.com/standardnotes" - windows="https://standardnotes.org/#get-started" - mac="https://standardnotes.org/#get-started" - linux="https://standardnotes.org/#get-started" - ios="https://apps.apple.com/app/id1285392450" - googleplay="https://play.google.com/store/apps/details?id=com.standardnotes" - web="https://app.standardnotes.org/" -%} - -

Warning

- -
    -
  • Note: As of Dec 2018, Joplin does not support password/pin protection for the application itself or individual notes/notebooks. Data is still encrypted in transit and at sync location using your master key. See open issue.
    • -
- -

Worth Mentioning

- -
    -
  • EteSync - Secure, end-to-end encrypted, and privacy respecting sync for your contacts, calendars, tasks and notes.
    • -
  • Paperwork - An open-source and self-hosted solution. For PHP / MySQL servers.
    • -
  • Org-mode - A major mode for GNU Emacs. Org-mode is for keeping notes, maintaining TODO lists, planning projects, and authoring documents with a fast and effective plain-text system.
    • -
diff --git a/_includes/legacy/sections/password-managers.html b/_includes/legacy/sections/password-managers.html deleted file mode 100644 index 1ca14aa8..00000000 --- a/_includes/legacy/sections/password-managers.html +++ /dev/null @@ -1,61 +0,0 @@ -

Password Manager Software

- -{% - include legacy/cardv2.html - title="Bitwarden - Cloud/Self-host" - image="/assets/img/legacy_svg/3rd-party/bitwarden.svg" - description="Bitwarden is a free and open-source password manager. It aims to solve password management problems for individuals, teams, and business organizations. Bitwarden is among the easiest and safest solutions to store all of your logins and passwords while conveniently keeping them synced between all of your devices. If you don't want to use the Bitwarden cloud, you can easily host your own Bitwarden server." - website="https://bitwarden.com/" - privacy-policy="https://bitwarden.com/privacy/" - github="https://github.com/bitwarden" - web="https://vault.bitwarden.com/#/" - windows="https://bitwarden.com/download/" - linux="https://bitwarden.com/download/" - freebsd="https://www.npmjs.com/package/@bitwarden/cli" - openbsd="https://www.npmjs.com/package/@bitwarden/cli" - netbsd="https://www.npmjs.com/package/@bitwarden/cli" - mac="https://apps.apple.com/app/bitwarden/id1352778147" - firefox="https://addons.mozilla.org/firefox/addon/bitwarden-password-manager/" - chrome="https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb" - safari="https://apps.apple.com/app/id1352778147" - opera="https://addons.opera.com/extensions/details/bitwarden-free-password-manager/" - edge="https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh" - fdroid="https://mobileapp.bitwarden.com/fdroid/" - googleplay="https://play.google.com/store/apps/details?id=com.x8bit.bitwarden" - ios="https://apps.apple.com/app/id1137397744" -%} - -{% - include legacy/cardv2.html - title="KeePassXC - Local" - image="/assets/img/legacy_svg/3rd-party/keepassxc.svg" - description="KeePassXC is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, fully cross-platform and modern open-source password manager." - website="https://keepassxc.org/" - privacy-policy="https://keepassxc.org/privacy/" - github="https://github.com/keepassxreboot/keepassxc" - windows="https://keepassxc.org/download/#windows" - linux="https://keepassxc.org/download/#linux" - mac="https://keepassxc.org/download/#mac" - freebsd="https://www.freshports.org/security/keepassxc/" - openbsd="http://openports.se/security/keepassxc" - netbsd="http://pkgsrc.se/security/keepassxc" - fdroid="https://f-droid.org/packages/com.kunzisoft.keepass.libre/" - googleplay="https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free" - firefox="https://addons.mozilla.org/en-US/firefox/addon/keepassxc-browser" - chrome="https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk" -%} - -

Worth Mentioning

- -
    -
  • - Psono - Free and open source password manager for teams with client side encryption and secure sharing of passwords, files, bookmarks, emails. All secrets are protected by a master password. Uses NACL Crypto, a combination of Curve25519, Salsa20 and Poly1305. -
    • - -
  • - Password Safe - Whether the answer is one or hundreds, Password Safe allows you to safely and easily create a secured and encrypted username/password list. With Password Safe all you have to do is create and remember a single "Master Password" of your choice in order to unlock and access your entire username/password list. -
    • -
  • - Pass - Pass is a bare-bones password store that keeps passwords using gpg2 encrypted files inside a simple directory tree residing at ~/.password-store. It has a simple terminal interface where the user can perform the usual actions, and it's functionality can be extended by plugins. It can also be used in scripts without having to input the actual password in plain text. -
    • -
diff --git a/_includes/legacy/sections/privacy-resources.html b/_includes/legacy/sections/privacy-resources.html deleted file mode 100644 index 14f0fccb..00000000 --- a/_includes/legacy/sections/privacy-resources.html +++ /dev/null @@ -1,39 +0,0 @@ -

More Privacy Resources

- -

Guides

- - - -

Information

- -
    -
  • Freedom of the Press Foundation - Supporting and defending journalism dedicated to transparency and accountability since 2012.
    • -
  • Open Wireless Movement - a coalition of Internet freedom advocates, companies, organizations, and technologists working to develop new wireless technologies and to inspire a movement of Internet openness.
    • -
  • privacy.net - What does the US government know about you?
    • -
  • Security Now! - Weekly Internet Security Podcast by Steve Gibson and Leo Laporte.
    • -
  • TechSNAP - Weekly Systems, Network, and Administration Podcast. Every week TechSNAP covers the stories that impact those of us in the tech industry.
    • -
  • Terms of Service; Didn't Read - "I have read and agree to the Terms" is the biggest lie on the web. We aim to fix that.
    • -
- -

Tools

- -
    -
  • ipleak.net - IP/DNS Detect - What is your IP, what is your DNS, what informations you send to websites.
    • -
  • The ultimate Online Privacy Test Resource List - A collection of Internet sites that check whether your web browser leaks information.
    • -
  • PRISM Break - We all have a right to privacy, which you can exercise today by encrypting your communications and ending your reliance on proprietary services.
    • -
  • Security in-a-Box - A guide to digital security for activists and human rights defenders throughout the world.
    • -
  • SecureDrop - An open-source whistleblower submission system that media organizations can use to securely accept documents from and communicate with anonymous sources. It was originally created - by the late Aaron Swartz and is currently managed by Freedom of the Press Foundation.
    • -
  • Security First - Umbrella is an Android app that provides all the advice needed to operate safely in a hostile environment.
    • -
  • Osalt - A directory to help you find open source alternatives to proprietary tools.
    • -
  • AlternativeTo - A directory to help find alternatives to other software, with the option to only show open source software
    • -
- -

Note: Just being open source does not make software secure!

diff --git a/_includes/legacy/sections/productivity-tools.html b/_includes/legacy/sections/productivity-tools.html deleted file mode 100644 index edfc0feb..00000000 --- a/_includes/legacy/sections/productivity-tools.html +++ /dev/null @@ -1,47 +0,0 @@ -{% include legacy/cardv2.html - title="PrivateBin" - image="/assets/img/legacy_svg/3rd-party/privatebin.svg" - description="PrivateBin is a minimalist, open-source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256-bit AES. It is the improved version of ZeroBin. Do note that it uses JavaScript to handle encryption, so you must trust the provider to the extent that they do not inject any malicious JavaScript to get your private key. Consider self-hosting to mitigate this threat." - website="https://privatebin.info/" - github="https://github.com/PrivateBin/PrivateBin" -%} - -{% - include legacy/cardv2.html - title="CryptPad" - image="/assets/img/legacy_svg/3rd-party/cryptpad.svg" - description="CryptPad is a private-by-design alternative to popular office tools. All content is end-to-end encrypted. Do note that it uses JavaScript to handle encryption, so you must trust the provider to the extent that they do not inject any malicious JavaScript to get your private key. Consider self-hosting to mitigate this threat." - website="https://cryptpad.fr/" - privacy-policy="https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/" - github="https://github.com/xwiki-labs/cryptpad" - web="https://cryptpad.fr/" -%} - -{% - include legacy/cardv2.html - title="Write.as" - image="/assets/img/legacy_svg/3rd-party/writeas.svg" - image-dark="/assets/img/legacy_svg/3rd-party/writeas-dark.svg" - description="Write.as is a cross-platform, privacy-oriented blogging platform. It's anonymous by default, letting you publish without signing up. If you create an account, it doesn't require any personal information. No ads, distraction-free, and built on a sustainable business model." - website="https://write.as/" - privacy-policy="https://write.as/privacy" - tor="http://writeasw4b635r4o3vec6mu45s47ohfyro5vayzx2zjwod4pjswyovyd.onion" - git="https://code.as/writeas" - web="https://write.as/pad" - windows="https://github.com/writeas/writeas-cli" - mac="https://github.com/writeas/writeas-cli" - linux="https://write.as/apps" - chrome="https://write.as/apps" - googleplay="https://play.google.com/store/apps/details?id=com.abunchtell.writeas" - ios="https://apps.apple.com/app/id1531530896" -%} - -

Worth Mentioning

- -
    -
  • Cryptee - Free privacy-friendly service for storing Documents, files and Photos
    • -
  • dudle - An online scheduling application, free and open-source. Schedule meetings or make small online polls. No email collection or the need of registration.
    • -
  • Framadate - A free and open-source online service for planning an appointment or making a decision quickly and easily. No registration is required.
    • -
  • LibreOffice - Free and open-source office suite.
    • -
  • VSCodium - Scripts to automatically build Microsoft's Visual Studio Code editor without branding or telemetry.
    • -
diff --git a/_includes/legacy/sections/quotes.html b/_includes/legacy/sections/quotes.html deleted file mode 100644 index 6885f087..00000000 --- a/_includes/legacy/sections/quotes.html +++ /dev/null @@ -1,53 +0,0 @@ -
-

Privacy? I don't have anything to hide.

-
-
-

Glenn Greenwald: Why privacy matters - Over the last 16 months, as I've debated this issue around the world, every single time somebody has said to me, "I don't really worry about invasions of privacy because I don't have anything to hide." I always say the same thing to them. I get out a - pen, I write down my email address. I say, "Here's my email address. What I want you to do when you get home is email me the passwords to all of your email accounts, not just the nice, respectable work one in your name, but all of them, because I - want to be able to just troll through what it is you're doing online, read what I want to read and publish whatever I find interesting. After all, if you're not a bad person, if you're doing nothing wrong, you should have nothing to hide." Not a single person has taken me up on that offer.

- -
- -
-

The primary reason for window curtains in our house, is to stop people from being able to see in. The reason we don’t want them to see in is because we consider much of what we do inside our homes to be private. Whether that be having dinner at the table, watching a movie with your kids, or even engaging in intimate or sexual acts with your partner. None of these things are illegal by any means but even knowing this, we still keep the curtains and blinds on our windows. We clearly have this strong desire for privacy when it comes to our personal life and the public.

- -
- -
-

[...] But saying that you don't need or want privacy because you have nothing to hide is to assume that no one should have, or could have, to hide anything -- including their immigration status, unemployment history, financial history, and health records. You're assuming that no one, including yourself, might object to revealing to anyone information about their religious beliefs, political affiliations, and sexual activities, as casually as some choose to reveal their movie and music tastes and reading preferences.

- -
- -
-

Privacy is not a luxury [in America]: it is a right – one that we need to defend in the digital realm as much as in the physical realm. We need to stay vigilant to maintain access to that right, though ... especially as technology continues to advance...

- -
- -

Read also:

- - - -

Quotes

- -
-

Ultimately, saying that you don't care about privacy because you have nothing to hide is no different from saying you don't care about freedom of speech because you have nothing to say. Or that you don't care about freedom of the press because you don't like to read. Or that you don't care about freedom of religion because you don't believe in God. Or that you don't care about the freedom to peacably assemble because you're a lazy, antisocial agoraphobe.

- -
- -
-

The NSA has built an infrastructure that allows it to intercept almost everything. With this capability, the vast majority of human communications are automatically ingested without targeting. If I wanted to see your emails or your wife's phone, all - I have to do is use intercepts. I can get your emails, passwords, phone records, credit cards. I don't want to live in a society that does these sort of things... I do not want to live in a world where everything I do and say is recorded. That is - not something I am willing to support or live under.

- -
- -
-

We all need places where we can go to explore without the judgmental eyes of other people being cast upon us, only in a realm where we're not being watched can we really test the limits of who we want to be. It's really in the private realm where - dissent, creativity and personal exploration lie.

- -
diff --git a/_includes/legacy/sections/resources.html b/_includes/legacy/sections/resources.html deleted file mode 100644 index 2c1e31cd..00000000 --- a/_includes/legacy/sections/resources.html +++ /dev/null @@ -1,55 +0,0 @@ -

Privacy Tools

- -

Prefer the classic site? View a single-page layout.

- -
- - {% include legacy/card.html color="success" - title="Providers" - icon="fas fa-server" - iconcolor="dark" - page="/providers/" - description="Discover privacy-centric online services, including email providers, VPN operators, DNS administrators, and more!" - %} - - {% include legacy/card.html color="primary" - title="Web Browsers" - icon="far fa-compass" - iconcolor="dark" - page="/browsers/" - description="Find a web browser that respects your privacy, and discover how to harden your browser against tracking and leaks." - %} - - {% include legacy/card.html color="warning" - title="Software" - icon="far fa-window-restore" - iconcolor="dark" - page="/software/" - description="Discover a variety of open source software built to protect your privacy and keep your digital data secure." - %} - - {% include legacy/card.html color="info" - title="Operating Systems" - icon="fas fa-desktop" - iconcolor="dark" - page="/operating-systems/" - description="Find out how your operating system is compromising your privacy, and what simple alternatives exist." - %} - - {% include legacy/card.html color="secondary" - title="Privacy Guides Services" - icon="far fa-eye-slash" - iconcolor="dark" - page="/services/" - description="The Privacy Guides team is proud to launch a variety of privacy-centric online services, including a Mastodon instance, search engine, and more!" - %} - - {% include legacy/card.html color="danger" - title="Donate" - icon="fas fa-donate" - iconcolor="dark" - page="/donate/" - description="We can't operate this site without the generous contributions we receive from our viewers. If you love privacy and our website please consider donating." - %} - -
diff --git a/_includes/legacy/sections/self-contained-networks.html b/_includes/legacy/sections/self-contained-networks.html deleted file mode 100644 index 181636ec..00000000 --- a/_includes/legacy/sections/self-contained-networks.html +++ /dev/null @@ -1,53 +0,0 @@ -

Self-contained Networks

- -{% include legacy/cardv2.html - title="Tor" - image="/assets/img/legacy_svg/3rd-party/tor.svg" - description="The Tor network is a group of volunteer-operated servers that allows people to improve their privacy and security on the Internet. Tor's users employ this network by connecting through a series of virtual tunnels rather than making a direct connection, thus allowing both organizations and individuals to share information over public networks without compromising their privacy. Tor is an effective censorship circumvention tool." - website="https://www.torproject.org/" - tor="http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion" - windows="https://www.torproject.org/download/" - mac="https://www.torproject.org/download/" - linux="https://www.torproject.org/download/" - freebsd="https://www.freshports.org/security/tor" - openbsd="http://openports.se/net/tor" - netbsd="http://pkgsrc.se/net/tor" - fdroid="https://support.torproject.org/tormobile/tormobile-7/" - googleplay="https://play.google.com/store/apps/details?id=org.torproject.torbrowser" - android="https://www.torproject.org/download/#android" - git="https://gitweb.torproject.org/tor.git" -%} - -{% include legacy/cardv2.html - title="I2P Anonymous Network" - image="/assets/img/legacy_svg/3rd-party/i2p.svg" - image-dark="/assets/img/legacy_svg/3rd-party/i2p-dark.svg" - description="The Invisible Internet Project (I2P) is a computer network layer that allows applications to send messages to each other pseudonymously and securely. Uses include anonymous Web surfing, chatting, blogging, and file transfers. The software that implements this layer is called an I2P router and a computer running I2P is called an I2P node. The software is free and open-source and is published under multiple licenses." - website="https://geti2p.net/" - i2p="http://i2p-projekt.i2p/" - windows="https://geti2p.net/en/download#windows" - mac="https://geti2p.net/en/download#mac" - linux="https://geti2p.net/en/download#unix" - freebsd="https://www.freshports.org/security/i2p/" - openbsd="http://openports.se/net/i2pd" - netbsd="http://pkgsrc.se/wip/i2pd" - fdroid="https://f-droid.org/app/net.i2p.android.router" - googleplay="https://play.google.com/store/apps/details?id=net.i2p.android" - android="https://download.i2p2.de/android/current/" - source="https://geti2p.net/en/get-involved/guides/new-developers#getting-the-i2p-code" -%} - -{% include legacy/cardv2.html - title="The Freenet Project" - image="/assets/img/legacy_svg/3rd-party/freenet.svg" - description="Freenet is a peer-to-peer platform for censorship-resistant communication. It uses a decentralized distributed data store to keep and deliver information, and has a suite of free software for publishing and communicating on the Web without fear of censorship. Both Freenet and some of its associated tools were originally designed by Ian Clarke, who defined Freenet's goal as providing freedom of speech on the Internet with strong anonymity protection." - website="https://freenetproject.org/" - windows="https://freenetproject.org/pages/download.html#windows" - mac="https://freenetproject.org/pages/download.html#os-x" - linux="https://freenetproject.org/pages/download.html#gnulinux-posix" - freebsd="https://freenetproject.org/pages/download.html#gnulinux-posix" - openbsd="https://freenetproject.org/pages/download.html#gnulinux-posix" - netbsd="https://freenetproject.org/pages/download.html#gnulinux-posix" - github="https://github.com/freenet/" -%} - diff --git a/_includes/legacy/sections/social-networks.html b/_includes/legacy/sections/social-networks.html deleted file mode 100644 index a2dbb3fb..00000000 --- a/_includes/legacy/sections/social-networks.html +++ /dev/null @@ -1,76 +0,0 @@ -

Decentralized Social Networks

- - - -{% include legacy/cardv2.html - title="Mastodon - Twitter Alternative" - image="/assets/img/legacy_svg/3rd-party/mastodon.svg" - description='Mastodon is a social network based on open web protocols and free, open-source software. It is decentralized like email, users can exist on different servers or even different platforms but still communicate with each other. It also has the most users, and the most diverse (in terms of interests) users, it looks good, and it is easy to setup yourself.' - website="https://joinmastodon.org/" - github="https://github.com/tootsuite/mastodon" - windows="https://joinmastodon.org/apps" - mac="https://joinmastodon.org/apps" - linux="https://joinmastodon.org/apps" - freebsd="https://joinmastodon.org/apps" - openbsd="https://joinmastodon.org/apps" - netbsd="https://joinmastodon.org/apps" - android="https://joinmastodon.org/apps" - sailfish="https://joinmastodon.org/apps" - ios="https://joinmastodon.org/apps" - web="https://joinmastodon.org/#getting-started" -%} - -{% include legacy/cardv2.html - title="diaspora* - Google+ Alternative" - image="/assets/img/legacy_svg/3rd-party/diaspora.svg" - description="diaspora* is based on three key philosophies: Decentralization, Freedom, and Privacy. It is intended to address privacy concerns related to centralized social networks by allowing users set up their own server (or \"pod\") to host content. Pods can then interact to share status updates, photographs, and other social data." - website="https://diasporafoundation.org/" - github="https://github.com/diaspora/diaspora" - android="https://wiki.diasporafoundation.org/Tools_to_use_with_Diaspora#Android" - web="https://diasporafoundation.org/" -%} - -{% include legacy/cardv2.html - title="Friendica - Facebook Alternative" - image="/assets/img/legacy_svg/3rd-party/friendica.svg" - description="Friendica has an emphasis on extensive privacy settings and easy server installation. It aims to federate with as many other social networks as possible. Currently, Friendica users can integrate contacts from Facebook, Twitter, Diaspora, GNU social, App.net, Pump.io and other services in their social streams." - website="https://friendi.ca/" - github="https://github.com/friendica/friendica" - windows="https://friendi.ca/resources/mobile-clients/" - linux="https://friendi.ca/resources/mobile-clients/" - android="https://friendi.ca/resources/mobile-clients/" - sailfish="https://friendi.ca/resources/mobile-clients/" - web="https://friendi.ca/" -%} - -{% include legacy/cardv2.html - title="PixelFed - Instagram Alternative" - image="/assets/img/legacy_svg/3rd-party/pixelfed.svg" - description='PixelFed is a free and ethical photo sharing platform, powered by ActivityPub federation. Pixelfed is an open-source, federated platform. You can run your own instance or join an existing one.' - website="https://pixelfed.org/" - github="https://github.com/pixelfed" - web="https://pixelfed.org/" -%} - -{% include legacy/cardv2.html - title="Pleroma - Twitter Alternative" - image="/assets/img/legacy_svg/3rd-party/pleroma.svg" - description="Pleroma is a free, federated social networking server built on open protocols. It is compatible with Mastodon and many other ActivityPub and OStatus implementations." - website="https://pleroma.social" - gitlab="https://git.pleroma.social/pleroma/pleroma/" - windows="https://docs-develop.pleroma.social/backend/clients/#desktop" - mac="https://docs-develop.pleroma.social/backend/clients/#desktop" - linux="https://docs-develop.pleroma.social/backend/clients/#desktop" - android="https://docs-develop.pleroma.social/backend/clients/#handheld" - fdroid="https://docs-develop.pleroma.social/backend/clients/#handheld" - googleplay="https://docs-develop.pleroma.social/backend/clients/#handheld" - ios="https://docs-develop.pleroma.social/backend/clients/#handheld" - web="https://docs-develop.pleroma.social/backend/clients/#alternative-web-interfaces" -%} - -

Worth Mentioning

-
    -
  • Movim - A federated social platform that relies on the XMPP standard and therefore allows you to exchange with many other clients on all devices.
    • -
diff --git a/_includes/legacy/sections/social-news-aggregator.html b/_includes/legacy/sections/social-news-aggregator.html deleted file mode 100644 index 36ca3462..00000000 --- a/_includes/legacy/sections/social-news-aggregator.html +++ /dev/null @@ -1,33 +0,0 @@ -

Social News Aggregators

- - - -{% include legacy/cardv2.html -title="Tildes" -image="/assets/img/legacy_svg/3rd-party/tildes.svg" -description='Tildes is a web-based self-hostable online bulletin board. It is licensed under AGPLv3.' -website="https://tildes.net" -privacy-policy="https://docs.tildes.net/policies/privacy-policy" -gitlab="https://gitlab.com/tildes/tildes" -web="https://tildes.net" -%} - -{% include legacy/cardv2.html -title="Lemmy" -image="/assets/img/legacy_svg/3rd-party/lemmy.svg" -description='Lemmy is an AGPL-licensed self-hostable link aggregator and discussion network designed to serve as an alternative to Reddit within the ActivityPub Fediverse.' -website="https://dev.lemmy.ml/" -github="https://github.com/LemmyNet/lemmy/" -web="https://join-lemmy.org/" -%} - -

Worth Mentioning

- - diff --git a/_includes/legacy/sections/vpn.html b/_includes/legacy/sections/vpn.html deleted file mode 100644 index 70bea3a3..00000000 --- a/_includes/legacy/sections/vpn.html +++ /dev/null @@ -1,124 +0,0 @@ -

Recommended VPN Services

- - - -
- -
-
- Mullvad -
-
-

- Mullvad - {% include badge.html color="info" text="EUR €60/y" %} -

-

Mullvad.net is a fast and inexpensive VPN with a serious focus on transparency and security. They have been in operation since 2009. Mullvad is based in Sweden and does not have a free trial.

-
{% include badge.html color="success" text="35 Countries" %}
-

Mullvad has servers in 35 countries at the time of writing this page. Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (less hops) to the destination.

-

We also think it's better for the security of the VPN provider's private keys if they use dedicated servers, instead of cheaper shared solutions (with other customers) such as virtual private servers.

-
{% include badge.html color="success" text="Independently Audited" %}
-

Mullvad's VPN clients have been audited by Cure53 and Assured AB in a pentest report published at cure53.de. The security researchers concluded:

-
-

Cure53 and Assured AB are happy with the results of the audit and the software leaves an overall positive impression. With security dedication of the in-house team at the Mullvad VPN compound, the testers have no doubts about the project being on the right track from a security standpoint.

-
-

In 2020 a second audit was announced and the final audit report was made available on Cure53's website:

-
-

The results of this May-June 2020 project targeting the Mullvad complex are quite positive. [...] The overall application ecosystem used by Mullvad leaves a sound and structured impression. The overall structure of the application makes it easy to roll out patches and fixes in a structured manner. More than anything, the findings spotted by Cure53 showcase the importance of constantly auditing and re-assessing the current leak vectors, in order to always ensure privacy of the end-users. With that being said, Mullvad does a great job protecting the end-user from common PII leaks and privacy related risks.

-
-

In 2021 an infrastructure audit was announced and the final audit report was made available on Cure53's website.

-
{% include badge.html color="success" text="Open Source Clients" %}
-

Mullvad provides the source code for their desktop and mobile clients in their GitHub organization.

-
{% include badge.html color="success" text="Accepts Bitcoin" %}
-

Mullvad, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, Bitcoin Cash, and cash/local currency as anonymous forms of payment. They also accept Swish and bank wire transfers.

-
{% include badge.html color="success" text="WireGuard Support" %}
-

Mullvad supports the WireGuard® protocol. WireGuard is a newer protocol that utilizes state-of-the-art cryptography. Additionally, WireGuard aims to be simpler and more performant.

-

Mullvad recommends the use of WireGuard with their service. It is the default or only protocol on Mullvad's Android, iOS, macOS, and Linux apps, whereas Windows users have to manually enable WireGuard. Mullvad also offers a WireGuard configuration generator for use with the official WireGuard apps.

-
{% include badge.html color="success" text="IPv6 Support" %}
-

Mullvad supports the future of networking IPv6. Their network allows users to access services hosted on IPv6 as opposed to other providers who block IPv6 connections.

-
{% include badge.html color="success" text="Remote Port Forwarding" %}
-

Remote port forwarding is allowed for users who make one-time payments, and not allowed for accounts with a recurring/subscription-based payment method. This is to prevent Mullvad from being able to identify port users based on stored subscription information. See Port forwarding with Mullvad VPN for more information.

-
{% include badge.html color="success" text="Mobile Clients" %}
-

Mullvad has published App Store and Google Play clients, both supporting an easy-to use interface as opposed to requiring users to manual configure their WireGuard connections. The mobile client on Android is also available in F-Droid, which ensures that it is compiled with reproducible builds.

-
{% include badge.html color="info" text="Extra Functionality" %}
-

Mullvad is very transparent about which nodes they own or rent. They use ShadowSocks in their ShadowSocks + OpenVPN configuration, making them more resistant against firewalls with Deep Packet Inspection trying to block VPNs. Supposedly, China has to use a different method to block ShadowSocks servers. Mullvad's website is also accessible via Tor at o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion.

-
-
-
-
- ProtonVPN -
-
-

- ProtonVPN - {% include badge.html color="info" text="Free" %} - {% include badge.html color="info" text="Basic USD $48/y" %} - {% include badge.html color="secondary" text="Plus USD $96/y" %} -

-

ProtonVPN.com is a strong contender in the VPN space, and they have been in operation since 2016. ProtonVPN is based in Switzerland and offers a limited free pricing tier, as well as premium options. They offer a further 14% discount for buying a 2 year subscription.

-
{% include badge.html color="success" text="44 Countries" %}
-

ProtonVPN has servers in 44 countries at the time of writing this page. Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (less hops) to the destination.

-

We also think it's better for the security of the VPN provider's private keys if they use dedicated servers, instead of cheaper shared solutions (with other customers) such as virtual private servers.

-
{% include badge.html color="success" text="Independently Audited" %}
-

As of January 2020 ProtonVPN has undergone an independent audit by SEC Consult. SEC Consult found some medium and low risk vulnerabilities in ProtonVPN's Windows, Android, and iOS applications, all of which were "properly fixed" by ProtonVPN before the reports were published. None of the issues identified would have provided an attacker remote access to a user's device or traffic. You can view individual reports for each platform at protonvpn.com. -

{% include badge.html color="success" text="Open Source Clients" %}
-

ProtonVPN provides the source code for their desktop and mobile clients in their GitHub organization.

-
{% include badge.html color="success" text="Accepts Bitcoin" %}
-

ProtonVPN does technically accept Bitcoin payments; however, you either need to have an existing account, or contact their support team in advance to register with Bitcoin.

-
{% include badge.html color="success" text="WireGuard Support" %}
-

ProtonVPN mostly supports the WireGuard® protocol. WireGuard is a newer protocol that utilizes state-of-the-art cryptography. Additionally, WireGuard aims to be simpler and more performant.

-

ProtonVPN recommends the use of WireGuard with their service. On ProtonVPN's Windows, macOS, iOS, Android, ChromeOS, and Android TV apps, WireGuard is the default protocol; however, support for the protocol is not present in their Linux app.

-
{% include badge.html color="success" text="Mobile Clients" %}
-

In addition to providing standard OpenVPN configuration files, ProtonVPN has mobile clients for App Store and Google Play allowing for easy connections to their servers. The mobile client on Android is also available in F-Droid, which ensures that it is compiled with reproducible builds.

-
{% include badge.html color="warning" text="No Port Forwarding" %}
-

ProtonVPN does not currently support remote port forwarding, which may impact some applications. Especially Peer-to-Peer applications like Torrent clients.

-
{% include badge.html color="info" text="Extra Functionality" %}
-

ProtonVPN have their own servers and datacenters in Switzerland, Iceland and Sweden. They offer adblocking and known malware domains blocking with their DNS service. Additionally, ProtonVPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using the official Tor Browser for this purpose.

-
-
-
-
- IVPN -
-
-

- IVPN - {% include badge.html color="info" text="Standard USD $60/y" %} - {% include badge.html color="secondary" text="Pro USD $100/y" %} -

-

IVPN.net is another premium VPN provider, and they have been in operation since 2009. IVPN is based in Gibraltar.

-
{% include badge.html color="success" text="32 Countries" %}
-

IVPN has servers in 32 countries at the time of writing this page. Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (less hops) to the destination.

-

We also think it's better for the security of the VPN provider's private keys if they use dedicated servers, instead of cheaper shared solutions (with other customers) such as virtual private servers.

-
{% include badge.html color="success" text="Independently Audited" %}
-

IVPN has undergone a no-logging audit from Cure53 which concluded in agreement with IVPN's no-logging claim. IVPN has also completed a comprehensive pentest report Cure53 in January 2020. IVPN has also said they plan to have annual reports in the future.

-
{% include badge.html color="success" text="Open Source Clients" %}
-

As of Feburary 2020 IVPN applications are now open source. Source code can be obtained from their GitHub organization.

-
{% include badge.html color="success" text="Accepts Bitcoin" %}
-

In addition to accepting credit/debit cards and PayPal, IVPN accepts Bitcoin, Monero and cash/local currency (on annual plans) as anonymous forms of payment.

-
{% include badge.html color="success" text="WireGuard Support" %}
-

IVPN supports the WireGuard® protocol. WireGuard is a newer protocol that utilizes state-of-the-art cryptography. Additionally, WireGuard aims to be simpler and more performant.

-

IVPN recommends the use of WireGuard with their service and, as such, the protocol is the default on all of IVPN's apps. IVPN also offers a WireGuard configuration generator for use with the official WireGuard apps.

-
{% include badge.html color="success" text="Remote Port Forwarding" %}
-

Remote port forwarding is possible with a Pro plan. Port forwarding can be activated via the client area. Port forwarding is only available on IVPN when using WireGuard or OpenVPN protocols and is disabled on US servers.

-
{% include badge.html color="success" text="Mobile Clients" %}
-

In addition to providing standard OpenVPN configuration files, IVPN has mobile clients for App Store and Google Play allowing for easy connections to their servers. The mobile client on Android is also available in F-Droid, which ensures that it is compiled with reproducible builds.

-
{% include badge.html color="info" text="Extra Functionality" %}
-

IVPN clients support two factor authentication (Mullvad and ProtonVPN clients do not). IVPN also provides "AntiTracker" functionality, which blocks advertising networks and trackers from the network level.

-
-
-
- -
-
- diff --git a/_includes/legacy/sections/warrant-canary.html b/_includes/legacy/sections/warrant-canary.html deleted file mode 100644 index 17b8973d..00000000 --- a/_includes/legacy/sections/warrant-canary.html +++ /dev/null @@ -1,18 +0,0 @@ -

What is a warrant canary?

- -

A warrant canary is a posted document stating that an organization has not received any secret subpoenas during a specific period of time. If this document fails to be updated during the specified time then the user is to assume that the service has received such a subpoena and should stop using the service.

- -

Warrant Canary Examples:

- -
    -
  1. https://www.ivpn.net/resources/canary.txt
    2. -
  2. https://www.bolehvpn.net/canary.txt
    3. -
- -

Related Warrant Canary Information

- - diff --git a/_includes/media-left.html b/_includes/media-left.html deleted file mode 100644 index 3bb0c77f..00000000 --- a/_includes/media-left.html +++ /dev/null @@ -1,8 +0,0 @@ -
-
- {{ include.alt }} -
-
- {{ include.text | markdownify }} -
-
diff --git a/_includes/nav.html b/_includes/nav.html deleted file mode 100644 index b31e1401..00000000 --- a/_includes/nav.html +++ /dev/null @@ -1,42 +0,0 @@ - diff --git a/_includes/recommendation-card.html b/_includes/recommendation-card.html deleted file mode 100644 index 06e106f9..00000000 --- a/_includes/recommendation-card.html +++ /dev/null @@ -1,68 +0,0 @@ -
-
-
-
- - {% if item.logo_dark %}{% endif %} - {{ item.name }} logo - -
-
-

{{ item.title }}

- {% if item.info %}

{{ item.info }}

{% endif %} - {% if item.warning %}

{{ item.warning }}

{% endif %} - {% if item.labels %} -

- {% assign labels = item.labels | split:"|" %} - {% for label in labels %} - {% assign label_data = label | split:"::" %} - {% for label_attr in label_data %} - {% assign attr = label_attr | split:"==" %} - {% if attr[0] == "color" %} - {% assign color = attr[1] %} - {% elsif attr[0] == "link" %} - {% assign link = attr[1] %} - {% elsif attr[0] == "text" %} - {% assign text = attr[1] %} - {% elsif attr[0] == "icon" %} - {% assign icon = attr[1] %} - {% elsif attr[0] == "tooltip" %} - {% assign tooltip = attr[1] %} - {% endif %} - {% endfor %} - {% include badge.html - link=link - color=color - text=text - icon=icon - tooltip=tooltip - %} - {% assign color = nil %} - {% assign link = nil %} - {% assign text = nil %} - {% assign icon = nil %} - {% assign tooltip = nil %} - {% endfor %} -

- {% endif %} - {{ item.description | markdownify }} - {% if item.downloads %}

{% for platform in item.downloads %} - - {% endfor %} -

{% endif %} - {% if item.website or item.article %}
- {% if item.article %} - More Information{% endif %} - {% if item.website %} - Visit {{ item.website | remove_first: "www." | split: "/" | slice: 2 }} - {% if item.privacy_policy %} Privacy Policy{% endif %} - {% if item.website_tor %} - {% endif %} - {% endif %} -
{% endif %} -
-
-
-
diff --git a/_includes/recommendation-table.html b/_includes/recommendation-table.html deleted file mode 100644 index a3f2fd19..00000000 --- a/_includes/recommendation-table.html +++ /dev/null @@ -1,13 +0,0 @@ -
- - - {% include table-header-{{ include.data }}.html %} - - - {% for provider in site.data[include.data] %} - {% include table-row-{{ include.data }}.html data=provider %} - {% endfor %} - -
-
-

View table data on GitHub

diff --git a/_includes/recommendation-text.html b/_includes/recommendation-text.html deleted file mode 100644 index 53a30530..00000000 --- a/_includes/recommendation-text.html +++ /dev/null @@ -1,15 +0,0 @@ -

- {% else %}">{% endif %} {{ item.title }} -

-{{ item.description | markdownify }} -{% if item.downloads or item.website or item.article %}

- {% capture text %} - {% if item.article %} | More Information{% endif %} - {% if item.website %} | Project Website{% endif %} - {% if item.downloads %} - {% for platform in item.downloads %} - | {{ platform.name }} - {% endfor %} - {% endif %} - {% endcapture %}{{ text | remove_first: '| ' }} -

{% endif %} diff --git a/_includes/svg/phone-like-icon.svg b/_includes/svg/phone-like-icon.svg deleted file mode 100644 index 82223530..00000000 --- a/_includes/svg/phone-like-icon.svg +++ /dev/null @@ -1 +0,0 @@ - diff --git a/_includes/svg/plan-icon.svg b/_includes/svg/plan-icon.svg deleted file mode 100644 index 3f135ccb..00000000 --- a/_includes/svg/plan-icon.svg +++ /dev/null @@ -1 +0,0 @@ - diff --git a/_includes/svg/privacy-guides-logo.svg b/_includes/svg/privacy-guides-logo.svg deleted file mode 100644 index 55a183ce..00000000 --- a/_includes/svg/privacy-guides-logo.svg +++ /dev/null @@ -1,58 +0,0 @@ - - Privacy Guides - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/_includes/svg/surveillance-eye.svg b/_includes/svg/surveillance-eye.svg deleted file mode 100644 index 60730ff1..00000000 --- a/_includes/svg/surveillance-eye.svg +++ /dev/null @@ -1 +0,0 @@ - diff --git a/_includes/table-header-dns.html b/_includes/table-header-dns.html deleted file mode 100644 index d9da1b89..00000000 --- a/_includes/table-header-dns.html +++ /dev/null @@ -1,9 +0,0 @@ - - DNS Provider - Privacy Policy - Type - Protocols - Logging - ECS - Filtering - diff --git a/_includes/table-row-dns.html b/_includes/table-row-dns.html deleted file mode 100644 index 92a322ee..00000000 --- a/_includes/table-row-dns.html +++ /dev/null @@ -1,38 +0,0 @@ -{% assign data = include.data[1] %} - - {{ data.title }} - - - {% if data.privacy_policy.link %} - - {% else %} - {% endif %} - -{% if data.type.link %}{{ data.type.name }} - {% else %}{{ data.type.name }}{% endif %} - -
    {%- for protocol in data.protocols -%} -
  • {{ protocol.name }}{% if protocol.tooltip %} - - {% endif %}
    • {%- endfor -%}
- -{% if data.logs.policy %}{% if data.logs.link %} - {{ data.logs.text | default: 'Yes' }}{% unless data.logs.link %}{% if data.logs.tooltip %} {% endif %}{% endunless %} - {% else %}No{% endif %} - - No - {% else %}data-value="Yes" class="table-info"> {{ data.ecs.text }} {% endunless %} - - - {{ data.filtering | escape | default: 'Unknown?' }} - {% if data.source %} - - {% endif %} - \ No newline at end of file diff --git a/_includes/table-unencrypted-dns.html b/_includes/table-unencrypted-dns.html deleted file mode 100644 index e12650e2..00000000 --- a/_includes/table-unencrypted-dns.html +++ /dev/null @@ -1,53 +0,0 @@ -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
No.TimeSourceDestinationProtocolLengthInfo
10.000000192.0.2.11.1.1.1DNS104Standard query 0x58ba A privacyguides.org OPT
20.2933951.1.1.1192.0.2.1DNS108Standard query response 0x58ba A privacyguides.org A 198.98.54.105 OPT
31.682109192.0.2.18.8.8.8DNS104Standard query 0xf1a9 A privacyguides.org OPT
42.1546988.8.8.8192.0.2.1DNS108Standard query response 0xf1a9 A privacyguides.org A 198.98.54.105 OPT
-
diff --git a/_layouts/default.html b/_layouts/default.html deleted file mode 100644 index 518e88c5..00000000 --- a/_layouts/default.html +++ /dev/null @@ -1,16 +0,0 @@ - - -{% include head.html %} - -
- {% include nav.html %} -
-
- {{ content }} -
- - - - {% if page.mathjax %}{% endif %} - - diff --git a/_layouts/evergreen.html b/_layouts/evergreen.html deleted file mode 100644 index aea6e959..00000000 --- a/_layouts/evergreen.html +++ /dev/null @@ -1,4 +0,0 @@ ---- -layout: page ---- -{{ content }} diff --git a/_layouts/page.html b/_layouts/page.html deleted file mode 100644 index 3d24fe64..00000000 --- a/_layouts/page.html +++ /dev/null @@ -1,12 +0,0 @@ ---- -layout: default ---- -
-

{{ page.title }}

- {% if page.description %}
- {{ page.description | markdownify }} -
{% endif %} - {{ content }} - {% include hr.html %} - {% include footer.html %} -
diff --git a/_layouts/post.html b/_layouts/post.html deleted file mode 100644 index ac36df65..00000000 --- a/_layouts/post.html +++ /dev/null @@ -1,48 +0,0 @@ ---- -layout: default ---- - - - -
-
-
-
-
-

{{ page.title }}

-
-
-

By: {% for author in page.author %}{{ author }}{% unless forloop.last %}, {% endunless %}{% endfor %} | {{ page.date | date: "%b %-d, %Y" }}

-
-
-
-
-
-
-
-
- {{ content }} -
-
- {% if page.canonical or page.cover_src_publisher %}
- {% if page.cover_src_publisher %}

Cover photo: {{ page.cover_src_publisher }}. Used with permission.

{% endif %} - {% if page.canonical %}

This post was originally published on {% if page.canonical_publisher %}{{ page.canonical_publisher }}{% else %}{{ page.canonical }}{% endif %} and has been syndicated here with the permission of the author or publication.{% endif %}

{% endif %} - {% include hr.html %} - {% include footer.html %} -
diff --git a/_layouts/recommendation.html b/_layouts/recommendation.html deleted file mode 100644 index 3f1eed82..00000000 --- a/_layouts/recommendation.html +++ /dev/null @@ -1,24 +0,0 @@ ---- -layout: default ---- -
-
- {% if page.logo %}
- {{ page.title }} logo -
{% endif %} -
- {% if page.type == "Anti-Recommendation" %}

{% include badge.html - color="danger" - text="Anti-Recommendation" - icon="fas fa-times-octagon" - %}

{% endif %} -

{{ page.title }}

- {% if page.description %}{{ page.description | markdownify }}{% endif %} - {% if page.website %}Visit {{ page.website | remove:'https://' | split:'/' | first }}{% endif %} -
-
- {{ content }} - {% include downloads.html %} - {% include hr.html %} - {% include footer.html %} -
diff --git a/_sass/brand.scss b/_sass/brand.scss deleted file mode 100644 index 98a29562..00000000 --- a/_sass/brand.scss +++ /dev/null @@ -1,22 +0,0 @@ -// Fancy new Privacy Guides Color Scheme -$primary: #FFD06F; -$secondary: #2B589C; -$success: #03CEA4; -$info: #AA78A6; -$warning: #FB4D3D; -$danger: #CA1551; -$light: #FFF6EB; -$dark: #101619; - -/* Social */ -$twitter: #FFD06F; -$mastodon: #FFD06F; -$facebook: #FFD06F; -$mix: #FFD06F; -$reddit: #FFD06F; -$linkedin: #FFD06F; -$email: #FFD06F; -$diaspora: #FFD06F; - -$body-color: #28323F; -$link-color: $secondary; diff --git a/_sass/custom.scss b/_sass/custom.scss deleted file mode 100644 index 887b8519..00000000 --- a/_sass/custom.scss +++ /dev/null @@ -1,35 +0,0 @@ -.no-text-wrap { - white-space: nowrap; -} - -.panel-pic { - float: left; - margin-right: 15px; -} - -.table td, .table th { - vertical-align: middle; -} - -h2, h3, h4, h5:not(.h5) { - margin-top: 2.5rem; - margin-bottom: 1rem; -} - -.h5 { - margin-top: 0.3rem; - margin-bottom: 0.3rem; -} - -// SVG Color Inversion -.svg-primary { - fill: $svg-primary; -} -.svg-dark { - fill: $svg-dark; -} -.svg-light { - fill: $svg-light; -} - -@import "sortable"; diff --git a/_sass/flag-icon.scss b/_sass/flag-icon.scss deleted file mode 100644 index 9df0f80b..00000000 --- a/_sass/flag-icon.scss +++ /dev/null @@ -1 +0,0 @@ -.flag-icon,.flag-icon-background{background-repeat:no-repeat;background-size:contain;background-position:50%}.flag-icon{position:relative;display:inline-block;width:1.33333333em;line-height:1em}.flag-icon:before{content:"\00a0"}.flag-icon-ad{background-image:url("../img/flags/ad.svg")}.flag-icon-ae{background-image:url("../img/flags/ae.svg")}.flag-icon-af{background-image:url("../img/flags/af.svg")}.flag-icon-ag{background-image:url("../img/flags/ag.svg")}.flag-icon-ai{background-image:url("../img/flags/ai.svg")}.flag-icon-al{background-image:url("../img/flags/al.svg")}.flag-icon-am{background-image:url("../img/flags/am.svg")}.flag-icon-ao{background-image:url("../img/flags/ao.svg")}.flag-icon-aq{background-image:url("../img/flags/aq.svg")}.flag-icon-ar{background-image:url("../img/flags/ar.svg")}.flag-icon-as{background-image:url("../img/flags/as.svg")}.flag-icon-at{background-image:url("../img/flags/at.svg")}.flag-icon-au{background-image:url("../img/flags/au.svg")}.flag-icon-aw{background-image:url("../img/flags/aw.svg")}.flag-icon-ax{background-image:url("../img/flags/ax.svg")}.flag-icon-az{background-image:url("../img/flags/az.svg")}.flag-icon-ba{background-image:url("../img/flags/ba.svg")}.flag-icon-bb{background-image:url("../img/flags/bb.svg")}.flag-icon-bd{background-image:url("../img/flags/bd.svg")}.flag-icon-be{background-image:url("../img/flags/be.svg")}.flag-icon-bf{background-image:url("../img/flags/bf.svg")}.flag-icon-bg{background-image:url("../img/flags/bg.svg")}.flag-icon-bh{background-image:url("../img/flags/bh.svg")}.flag-icon-bi{background-image:url("../img/flags/bi.svg")}.flag-icon-bj{background-image:url("../img/flags/bj.svg")}.flag-icon-bl{background-image:url("../img/flags/bl.svg")}.flag-icon-bm{background-image:url("../img/flags/bm.svg")}.flag-icon-bn{background-image:url("../img/flags/bn.svg")}.flag-icon-bo{background-image:url("../img/flags/bo.svg")}.flag-icon-bq{background-image:url("../img/flags/bq.svg")}.flag-icon-br{background-image:url("../img/flags/br.svg")}.flag-icon-bs{background-image:url("../img/flags/bs.svg")}.flag-icon-bt{background-image:url("../img/flags/bt.svg")}.flag-icon-bv{background-image:url("../img/flags/bv.svg")}.flag-icon-bw{background-image:url("../img/flags/bw.svg")}.flag-icon-by{background-image:url("../img/flags/by.svg")}.flag-icon-bz{background-image:url("../img/flags/bz.svg")}.flag-icon-ca{background-image:url("../img/flags/ca.svg")}.flag-icon-cc{background-image:url("../img/flags/cc.svg")}.flag-icon-cd{background-image:url("../img/flags/cd.svg")}.flag-icon-cf{background-image:url("../img/flags/cf.svg")}.flag-icon-cg{background-image:url("../img/flags/cg.svg")}.flag-icon-ch{background-image:url("../img/flags/ch.svg")}.flag-icon-ci{background-image:url("../img/flags/ci.svg")}.flag-icon-ck{background-image:url("../img/flags/ck.svg")}.flag-icon-cl{background-image:url("../img/flags/cl.svg")}.flag-icon-cm{background-image:url("../img/flags/cm.svg")}.flag-icon-cn{background-image:url("../img/flags/cn.svg")}.flag-icon-co{background-image:url("../img/flags/co.svg")}.flag-icon-cr{background-image:url("../img/flags/cr.svg")}.flag-icon-cu{background-image:url("../img/flags/cu.svg")}.flag-icon-cv{background-image:url("../img/flags/cv.svg")}.flag-icon-cw{background-image:url("../img/flags/cw.svg")}.flag-icon-cx{background-image:url("../img/flags/cx.svg")}.flag-icon-cy{background-image:url("../img/flags/cy.svg")}.flag-icon-cz{background-image:url("../img/flags/cz.svg")}.flag-icon-de{background-image:url("../img/flags/de.svg")}.flag-icon-dj{background-image:url("../img/flags/dj.svg")}.flag-icon-dk{background-image:url("../img/flags/dk.svg")}.flag-icon-dm{background-image:url("../img/flags/dm.svg")}.flag-icon-do{background-image:url("../img/flags/do.svg")}.flag-icon-dz{background-image:url("../img/flags/dz.svg")}.flag-icon-ec{background-image:url("../img/flags/ec.svg")}.flag-icon-ee{background-image:url("../img/flags/ee.svg")}.flag-icon-eg{background-image:url("../img/flags/eg.svg")}.flag-icon-eh{background-image:url("../img/flags/eh.svg")}.flag-icon-er{background-image:url("../img/flags/er.svg")}.flag-icon-es{background-image:url("../img/flags/es.svg")}.flag-icon-et{background-image:url("../img/flags/et.svg")}.flag-icon-fi{background-image:url("../img/flags/fi.svg")}.flag-icon-fj{background-image:url("../img/flags/fj.svg")}.flag-icon-fk{background-image:url("../img/flags/fk.svg")}.flag-icon-fm{background-image:url("../img/flags/fm.svg")}.flag-icon-fo{background-image:url("../img/flags/fo.svg")}.flag-icon-fr{background-image:url("../img/flags/fr.svg")}.flag-icon-ga{background-image:url("../img/flags/ga.svg")}.flag-icon-gb{background-image:url("../img/flags/gb.svg")}.flag-icon-gd{background-image:url("../img/flags/gd.svg")}.flag-icon-ge{background-image:url("../img/flags/ge.svg")}.flag-icon-gf{background-image:url("../img/flags/gf.svg")}.flag-icon-gg{background-image:url("../img/flags/gg.svg")}.flag-icon-gh{background-image:url("../img/flags/gh.svg")}.flag-icon-gi{background-image:url("../img/flags/gi.svg")}.flag-icon-gl{background-image:url("../img/flags/gl.svg")}.flag-icon-gm{background-image:url("../img/flags/gm.svg")}.flag-icon-gn{background-image:url("../img/flags/gn.svg")}.flag-icon-gp{background-image:url("../img/flags/gp.svg")}.flag-icon-gq{background-image:url("../img/flags/gq.svg")}.flag-icon-gr{background-image:url("../img/flags/gr.svg")}.flag-icon-gs{background-image:url("../img/flags/gs.svg")}.flag-icon-gt{background-image:url("../img/flags/gt.svg")}.flag-icon-gu{background-image:url("../img/flags/gu.svg")}.flag-icon-gw{background-image:url("../img/flags/gw.svg")}.flag-icon-gy{background-image:url("../img/flags/gy.svg")}.flag-icon-hk{background-image:url("../img/flags/hk.svg")}.flag-icon-hm{background-image:url("../img/flags/hm.svg")}.flag-icon-hn{background-image:url("../img/flags/hn.svg")}.flag-icon-hr{background-image:url("../img/flags/hr.svg")}.flag-icon-ht{background-image:url("../img/flags/ht.svg")}.flag-icon-hu{background-image:url("../img/flags/hu.svg")}.flag-icon-id{background-image:url("../img/flags/id.svg")}.flag-icon-ie{background-image:url("../img/flags/ie.svg")}.flag-icon-il{background-image:url("../img/flags/il.svg")}.flag-icon-im{background-image:url("../img/flags/im.svg")}.flag-icon-in{background-image:url("../img/flags/in.svg")}.flag-icon-io{background-image:url("../img/flags/io.svg")}.flag-icon-iq{background-image:url("../img/flags/iq.svg")}.flag-icon-ir{background-image:url("../img/flags/ir.svg")}.flag-icon-is{background-image:url("../img/flags/is.svg")}.flag-icon-it{background-image:url("../img/flags/it.svg")}.flag-icon-je{background-image:url("../img/flags/je.svg")}.flag-icon-jm{background-image:url("../img/flags/jm.svg")}.flag-icon-jo{background-image:url("../img/flags/jo.svg")}.flag-icon-jp{background-image:url("../img/flags/jp.svg")}.flag-icon-ke{background-image:url("../img/flags/ke.svg")}.flag-icon-kg{background-image:url("../img/flags/kg.svg")}.flag-icon-kh{background-image:url("../img/flags/kh.svg")}.flag-icon-ki{background-image:url("../img/flags/ki.svg")}.flag-icon-km{background-image:url("../img/flags/km.svg")}.flag-icon-kn{background-image:url("../img/flags/kn.svg")}.flag-icon-kp{background-image:url("../img/flags/kp.svg")}.flag-icon-kr{background-image:url("../img/flags/kr.svg")}.flag-icon-kw{background-image:url("../img/flags/kw.svg")}.flag-icon-ky{background-image:url("../img/flags/ky.svg")}.flag-icon-kz{background-image:url("../img/flags/kz.svg")}.flag-icon-la{background-image:url("../img/flags/la.svg")}.flag-icon-lb{background-image:url("../img/flags/lb.svg")}.flag-icon-lc{background-image:url("../img/flags/lc.svg")}.flag-icon-li{background-image:url("../img/flags/li.svg")}.flag-icon-lk{background-image:url("../img/flags/lk.svg")}.flag-icon-lr{background-image:url("../img/flags/lr.svg")}.flag-icon-ls{background-image:url("../img/flags/ls.svg")}.flag-icon-lt{background-image:url("../img/flags/lt.svg")}.flag-icon-lu{background-image:url("../img/flags/lu.svg")}.flag-icon-lv{background-image:url("../img/flags/lv.svg")}.flag-icon-ly{background-image:url("../img/flags/ly.svg")}.flag-icon-ma{background-image:url("../img/flags/ma.svg")}.flag-icon-mc{background-image:url("../img/flags/mc.svg")}.flag-icon-md{background-image:url("../img/flags/md.svg")}.flag-icon-me{background-image:url("../img/flags/me.svg")}.flag-icon-mf{background-image:url("../img/flags/mf.svg")}.flag-icon-mg{background-image:url("../img/flags/mg.svg")}.flag-icon-mh{background-image:url("../img/flags/mh.svg")}.flag-icon-mk{background-image:url("../img/flags/mk.svg")}.flag-icon-ml{background-image:url("../img/flags/ml.svg")}.flag-icon-mm{background-image:url("../img/flags/mm.svg")}.flag-icon-mn{background-image:url("../img/flags/mn.svg")}.flag-icon-mo{background-image:url("../img/flags/mo.svg")}.flag-icon-mp{background-image:url("../img/flags/mp.svg")}.flag-icon-mq{background-image:url("../img/flags/mq.svg")}.flag-icon-mr{background-image:url("../img/flags/mr.svg")}.flag-icon-ms{background-image:url("../img/flags/ms.svg")}.flag-icon-mt{background-image:url("../img/flags/mt.svg")}.flag-icon-mu{background-image:url("../img/flags/mu.svg")}.flag-icon-mv{background-image:url("../img/flags/mv.svg")}.flag-icon-mw{background-image:url("../img/flags/mw.svg")}.flag-icon-mx{background-image:url("../img/flags/mx.svg")}.flag-icon-my{background-image:url("../img/flags/my.svg")}.flag-icon-mz{background-image:url("../img/flags/mz.svg")}.flag-icon-na{background-image:url("../img/flags/na.svg")}.flag-icon-nc{background-image:url("../img/flags/nc.svg")}.flag-icon-ne{background-image:url("../img/flags/ne.svg")}.flag-icon-nf{background-image:url("../img/flags/nf.svg")}.flag-icon-ng{background-image:url("../img/flags/ng.svg")}.flag-icon-ni{background-image:url("../img/flags/ni.svg")}.flag-icon-nl{background-image:url("../img/flags/nl.svg")}.flag-icon-no{background-image:url("../img/flags/no.svg")}.flag-icon-np{background-image:url("../img/flags/np.svg")}.flag-icon-nr{background-image:url("../img/flags/nr.svg")}.flag-icon-nu{background-image:url("../img/flags/nu.svg")}.flag-icon-nz{background-image:url("../img/flags/nz.svg")}.flag-icon-om{background-image:url("../img/flags/om.svg")}.flag-icon-pa{background-image:url("../img/flags/pa.svg")}.flag-icon-pe{background-image:url("../img/flags/pe.svg")}.flag-icon-pf{background-image:url("../img/flags/pf.svg")}.flag-icon-pg{background-image:url("../img/flags/pg.svg")}.flag-icon-ph{background-image:url("../img/flags/ph.svg")}.flag-icon-pk{background-image:url("../img/flags/pk.svg")}.flag-icon-pl{background-image:url("../img/flags/pl.svg")}.flag-icon-pm{background-image:url("../img/flags/pm.svg")}.flag-icon-pn{background-image:url("../img/flags/pn.svg")}.flag-icon-pr{background-image:url("../img/flags/pr.svg")}.flag-icon-ps{background-image:url("../img/flags/ps.svg")}.flag-icon-pt{background-image:url("../img/flags/pt.svg")}.flag-icon-pw{background-image:url("../img/flags/pw.svg")}.flag-icon-py{background-image:url("../img/flags/py.svg")}.flag-icon-qa{background-image:url("../img/flags/qa.svg")}.flag-icon-re{background-image:url("../img/flags/re.svg")}.flag-icon-ro{background-image:url("../img/flags/ro.svg")}.flag-icon-rs{background-image:url("../img/flags/rs.svg")}.flag-icon-ru{background-image:url("../img/flags/ru.svg")}.flag-icon-rw{background-image:url("../img/flags/rw.svg")}.flag-icon-sa{background-image:url("../img/flags/sa.svg")}.flag-icon-sb{background-image:url("../img/flags/sb.svg")}.flag-icon-sc{background-image:url("../img/flags/sc.svg")}.flag-icon-sd{background-image:url("../img/flags/sd.svg")}.flag-icon-se{background-image:url("../img/flags/se.svg")}.flag-icon-sg{background-image:url("../img/flags/sg.svg")}.flag-icon-sh{background-image:url("../img/flags/sh.svg")}.flag-icon-si{background-image:url("../img/flags/si.svg")}.flag-icon-sj{background-image:url("../img/flags/sj.svg")}.flag-icon-sk{background-image:url("../img/flags/sk.svg")}.flag-icon-sl{background-image:url("../img/flags/sl.svg")}.flag-icon-sm{background-image:url("../img/flags/sm.svg")}.flag-icon-sn{background-image:url("../img/flags/sn.svg")}.flag-icon-so{background-image:url("../img/flags/so.svg")}.flag-icon-sr{background-image:url("../img/flags/sr.svg")}.flag-icon-ss{background-image:url("../img/flags/ss.svg")}.flag-icon-st{background-image:url("../img/flags/st.svg")}.flag-icon-sv{background-image:url("../img/flags/sv.svg")}.flag-icon-sx{background-image:url("../img/flags/sx.svg")}.flag-icon-sy{background-image:url("../img/flags/sy.svg")}.flag-icon-sz{background-image:url("../img/flags/sz.svg")}.flag-icon-tc{background-image:url("../img/flags/tc.svg")}.flag-icon-td{background-image:url("../img/flags/td.svg")}.flag-icon-tf{background-image:url("../img/flags/tf.svg")}.flag-icon-tg{background-image:url("../img/flags/tg.svg")}.flag-icon-th{background-image:url("../img/flags/th.svg")}.flag-icon-tj{background-image:url("../img/flags/tj.svg")}.flag-icon-tk{background-image:url("../img/flags/tk.svg")}.flag-icon-tl{background-image:url("../img/flags/tl.svg")}.flag-icon-tm{background-image:url("../img/flags/tm.svg")}.flag-icon-tn{background-image:url("../img/flags/tn.svg")}.flag-icon-to{background-image:url("../img/flags/to.svg")}.flag-icon-tr{background-image:url("../img/flags/tr.svg")}.flag-icon-tt{background-image:url("../img/flags/tt.svg")}.flag-icon-tv{background-image:url("../img/flags/tv.svg")}.flag-icon-tw{background-image:url("../img/flags/tw.svg")}.flag-icon-tz{background-image:url("../img/flags/tz.svg")}.flag-icon-ua{background-image:url("../img/flags/ua.svg")}.flag-icon-ug{background-image:url("../img/flags/ug.svg")}.flag-icon-um{background-image:url("../img/flags/um.svg")}.flag-icon-us{background-image:url("../img/flags/us.svg")}.flag-icon-uy{background-image:url("../img/flags/uy.svg")}.flag-icon-uz{background-image:url("../img/flags/uz.svg")}.flag-icon-va{background-image:url("../img/flags/va.svg")}.flag-icon-vc{background-image:url("../img/flags/vc.svg")}.flag-icon-ve{background-image:url("../img/flags/ve.svg")}.flag-icon-vg{background-image:url("../img/flags/vg.svg")}.flag-icon-vi{background-image:url("../img/flags/vi.svg")}.flag-icon-vn{background-image:url("../img/flags/vn.svg")}.flag-icon-vu{background-image:url("../img/flags/vu.svg")}.flag-icon-wf{background-image:url("../img/flags/wf.svg")}.flag-icon-ws{background-image:url("../img/flags/ws.svg")}.flag-icon-ye{background-image:url("../img/flags/ye.svg")}.flag-icon-yt{background-image:url("../img/flags/yt.svg")}.flag-icon-za{background-image:url("../img/flags/za.svg")}.flag-icon-zm{background-image:url("../img/flags/zm.svg")}.flag-icon-zw{background-image:url("../img/flags/zw.svg")}.flag-icon-eu{background-image:url("../img/flags/eu.svg")}.flag-icon-gb-eng{background-image:url("../img/flags/gb-eng.svg")}.flag-icon-gb-sct{background-image:url("../img/flags/gb-sct.svg")}.flag-icon-gb-wls{background-image:url("../img/flags/gb-wls.svg")}.flag-icon-un{background-image:url("../img/flags/un.svg")} diff --git a/_sass/pg-font.scss b/_sass/pg-font.scss deleted file mode 100644 index 7d58c8fe..00000000 --- a/_sass/pg-font.scss +++ /dev/null @@ -1,62 +0,0 @@ -/* - Icon Font: pg-font -*/ - -@font-face { - font-family: "pg-font"; - src: url("../fonts/pg-font/pg-font.eot"); - src: url("../fonts/pg-font/pg-font.eot?#iefix") format("embedded-opentype"), - url("../fonts/pg-font/pg-font.woff2") format("woff2"), - url("../fonts/pg-font/pg-font.woff") format("woff"), - url("../fonts/pg-font/pg-font.ttf") format("truetype"), - url("../fonts/pg-font/pg-font.svg#pg-font") format("svg"); - font-weight: normal; - font-style: normal; -} - -@media screen and (-webkit-min-device-pixel-ratio:0) { - @font-face { - font-family: "pg-font"; - src: url("../fonts/pg-font/pg-font.svg#pg-font") format("svg"); - } -} - -[data-icon]:before { content: attr(data-icon); } - -[data-icon]:before, -.pg-f-droid:before, -.pg-i2p:before, -.pg-ios:before, -.pg-linux:before, -.pg-macos:before, -.pg-mix:before, -.pg-netbsd:before, -.pg-openbsd:before, -.pg-sailfish-os:before, -.pg-qubes:before, -.pg-tor:before { - display: inline-block; - font-family: "pg-font"; - font-style: normal; - font-weight: normal; - font-variant: normal; - line-height: 1; - text-decoration: inherit; - text-rendering: optimizeLegibility; - text-transform: none; - -moz-osx-font-smoothing: grayscale; - -webkit-font-smoothing: antialiased; - font-smoothing: antialiased; -} - -.pg-f-droid:before { content: "\f100"; } -.pg-i2p:before { content: "\f10c"; } -.pg-ios:before { content: "\f101"; } -.pg-linux:before { content: "\f102"; } -.pg-macos:before { content: "\f103"; } -.pg-mix:before { content: "\f107"; } -.pg-netbsd:before { content: "\f104"; } -.pg-openbsd:before { content: "\f105"; } -.pg-sailfish-os:before { content: "\f106"; } -.pg-tor:before { content: "\f10b"; } -.pg-qubes:before { content: "\f108" } diff --git a/_sass/sortable.scss b/_sass/sortable.scss deleted file mode 100644 index 9ce3cf95..00000000 --- a/_sass/sortable.scss +++ /dev/null @@ -1,90 +0,0 @@ -/* line 2, ../sass/_sortable.sass */ -table[data-sortable] { - border-collapse: collapse; - border-spacing: 0; -} -/* line 6, ../sass/_sortable.sass */ -table[data-sortable] th { - vertical-align: bottom; - font-weight: bold; -} -/* line 10, ../sass/_sortable.sass */ -table[data-sortable] th, table[data-sortable] td { - text-align: left; - padding: 10px; -} -/* line 14, ../sass/_sortable.sass */ -table[data-sortable] th:not([data-sortable="false"]) { - -webkit-user-select: none; - -moz-user-select: none; - -ms-user-select: none; - -o-user-select: none; - user-select: none; - -webkit-tap-highlight-color: rgba(0, 0, 0, 0); - -webkit-touch-callout: none; - cursor: pointer; -} -/* line 26, ../sass/_sortable.sass */ -table[data-sortable] th:after { - content: ""; - visibility: hidden; - display: inline-block; - vertical-align: inherit; - height: 0; - width: 0; - border-width: 5px; - border-style: solid; - border-color: transparent; - margin-right: 1px; - margin-left: 10px; - float: right; -} -/* line 40, ../sass/_sortable.sass */ -table[data-sortable] th[data-sorted="true"]:after { - visibility: visible; -} -/* line 43, ../sass/_sortable.sass */ -table[data-sortable] th[data-sorted-direction="descending"]:after { - border-top-color: inherit; - margin-top: 8px; -} -/* line 47, ../sass/_sortable.sass */ -table[data-sortable] th[data-sorted-direction="ascending"]:after { - border-bottom-color: inherit; - margin-top: 3px; -} - -/* line 5, ../sass/sortable-theme-bootstrap.sass */ -table[data-sortable].sortable-theme-bootstrap { - font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; - font-size: 14px; - line-height: 20px; - color: $table-color; - background: $table-bg; -} -/* line 12, ../sass/sortable-theme-bootstrap.sass */ -table[data-sortable].sortable-theme-bootstrap thead th { - border-bottom: 2px solid $table-border-color; -} -/* line 15, ../sass/sortable-theme-bootstrap.sass */ -table[data-sortable].sortable-theme-bootstrap tbody td { - border-top: 1px solid $table-border-color; -} -/* line 18, ../sass/sortable-theme-bootstrap.sass */ -table[data-sortable].sortable-theme-bootstrap th[data-sorted="true"] { - color: $table-color; - background: $table-active-bg; - border-bottom-color: $table-border-color; -} -/* line 23, ../sass/sortable-theme-bootstrap.sass */ -table[data-sortable].sortable-theme-bootstrap th[data-sorted="true"][data-sorted-direction="descending"]:after { - border-top-color: $table-border-color; -} -/* line 26, ../sass/sortable-theme-bootstrap.sass */ -table[data-sortable].sortable-theme-bootstrap th[data-sorted="true"][data-sorted-direction="ascending"]:after { - border-bottom-color: $table-color; -} -/* line 31, ../sass/sortable-theme-bootstrap.sass */ -table[data-sortable].sortable-theme-bootstrap.sortable-theme-bootstrap-striped tbody > tr:nth-child(odd) > td { - background-color: $table-active-bg; -} diff --git a/_sass/terminal.scss b/_sass/terminal.scss deleted file mode 100644 index d49d502e..00000000 --- a/_sass/terminal.scss +++ /dev/null @@ -1,20 +0,0 @@ -* { margin: 0; padding: 0; } - -.terminal { - font-size: 15px; - color: white; - background-color: black; - font-family: monospace; - overflow: scroll; - padding: 10px; - border-radius: 10px; - -ms-overflow-style: none; /* Internet Explorer 10+, make scrollbars invisible */ - scrollbar-width: none; /* Firefox, make scrollbars invisible */ - margin: 25px; -} - -.terminal::-webkit-scrollbar { /* WebKit, make scrollbars invisible */ - width: 0; - height: 0; - box-shadow: 0px 0px 10px rgba(0,0,0,.4) -} diff --git a/_sass/variables.scss b/_sass/variables.scss deleted file mode 100644 index 62ab65dd..00000000 --- a/_sass/variables.scss +++ /dev/null @@ -1,51 +0,0 @@ -/* Variables */ - -$navbar-light-color: rgba($black, .7); -$dropdown-link-color: $navbar-light-color; -$navbar-light-active-color: $dark; -$dropdown-link-hover-color: $navbar-light-active-color; - -/* Extra Colors */ -$theme-colors: ( - "primary": $primary, - "secondary": $secondary, - "success": $success, - "info": $info, - "warning": $warning, - "danger": $danger, - "light": $light, - "dark": $dark -); - -$colors: ( - "gray": $gray-600, - "blue": $blue, - "indigo": $indigo, - "purple": $purple, - "red": $red, - "orange": $orange, - "yellow": $yellow, - "green": $green, - "teal": $teal, - "cyan": $cyan, -); - -/* Cards */ -$card-shadow: 0 3px 10px 0 rgba(150, 150, 150, .2); -$card-success-border: rgba(40, 167, 69, .5); -$card-primary-border: rgba(0, 123, 255, .5); -$card-warning-border: rgba(255, 193, 7, .5); - -/* Blockquote */ -$blockquote-border: #eee; - -/* Share button */ -$share-btn: #fff; -$share-btn-shadow: 0 2px 0 0 rgba(0, 0, 0, .2); -$share-btn-hover: #eee; -$share-btn-active: #e2e2e2; - -/* SVG Colors */ -$svg-primary: $primary !default; -$svg-dark: $body-color; -$svg-light: $light !default; diff --git a/assets/css/app.scss b/assets/css/app.scss deleted file mode 100644 index b853e3d8..00000000 --- a/assets/css/app.scss +++ /dev/null @@ -1,110 +0,0 @@ ---- ---- -@import "./node_modules/bootstrap/scss/functions"; -@import "brand"; -@import "./node_modules/bootstrap/scss/variables"; -@import "variables"; - -@import "./node_modules/bootstrap/scss/mixins"; -@import "./node_modules/bootstrap/scss/utilities"; - -.flowchart{ - width: 40vmax; - float: center; - padding: 10px; - background-color: var(--bs-body-bg); -} - -$dm-grays: ( - "dm-white": $white, - "dm-100": $gray-100, - "dm-200": $gray-200, - "dm-300": $gray-300, - "dm-400": $gray-400, - "dm-500": $gray-500, - "dm-600": $gray-600, - "dm-700": $gray-700, - "dm-800": $gray-800, - "dm-900": $gray-900, - "dm-black": $black -); - -$all-colors: map-merge-multiple($blues, $indigos, $purples, $pinks, $reds, $oranges, $yellows, $greens, $teals, $cyans, $grays, $dm-grays); - -$utilities: map-merge( - $utilities, - ( - "color": map-merge( - map-get($utilities, "color"), - ( - values: map-merge( - map-get(map-get($utilities, "color"), "values"), - ( - $all-colors - ), - ), - ), - ), - ) -); - -$utilities: map-merge( - $utilities, - ( - "background-color": map-merge( - map-get($utilities, "background-color"), - ( - values: map-merge( - map-get(map-get($utilities, "background-color"), "values"), - ( - $all-colors - ), - ), - ), - ), - ) -); - -.container-fullwidth { - margin: 0 auto; - width: 100%; -} - -@font-face { - font-family: Bagnard; - src: url("/assets/fonts/Bagnard.woff") format("woff"), url("/assets/fonts/Bagnard.ttf") format("truetype"), url("/assets/fonts/Bagnard.otf") format("opentype"); -} - -h1, h2, h3:not(.h5), h4 { - font-family: "Bagnard", serif; -} - -// import /_sass/bootstrap.scss -@import "./node_modules/bootstrap/scss/bootstrap"; -@import "pg-font"; -@import "flag-icon"; -@import "terminal"; - -.textColor { - fill: $dark; -} - -.post-info, .post-title { - color: theme-color("light"); - display: inline; - padding: $spacer; - /* Needs prefixing */ - -webkit-box-decoration-break: clone; - box-decoration-break: clone; -} - -.navbar-logo { - @media (max-width: 400px) { - width: 50px; - } - @media (min-width: 401px) { - width: 300px; - } -} - -@import "custom"; diff --git a/assets/css/dark.scss b/assets/css/dark.scss deleted file mode 100644 index 5b15e27b..00000000 --- a/assets/css/dark.scss +++ /dev/null @@ -1,136 +0,0 @@ ---- ---- -@import "./node_modules/bootstrap/scss/functions"; -@import "brand"; - -$primary: #EAB448; -$secondary: lighten( $secondary, 30% ); -$success: darken( $success, 10% ); -$info: darken( $info, 5% ); -$danger: lighten( $warning, 20% ); -$warning: darken( $warning, 30% ); - -$body-bg: $dark; -$card-bg: lighten( $dark, 5% ); -$body-color: $light; -$link-color: lighten( $link-color, 30% ); -$mark-bg: darken( $primary, 60% ); -$hr-border-color: $body-color; - -@import "./node_modules/bootstrap/scss/variables"; -@import "variables"; - -.flowchart{ - width: 40vmax; - float: center; - padding: 10px; - background-color: var(--bs-body-bg); -} - -$dm-grays: ( - "dm-white": $black, - "dm-100": $gray-900, - "dm-200": $gray-800, - "dm-300": $gray-700, - "dm-400": $gray-600, - "dm-500": $gray-500, - "dm-600": $gray-400, - "dm-700": $gray-300, - "dm-800": $gray-200, - "dm-900": $gray-100, - "dm-black": $white -); - -$card-shadow: 0 3px 10px 0 $dark; -$list-group-color: $body-color; -$list-group-bg: $card-bg; - -$alert-bg-level: 4; -$alert-border-level: 3; -$alert-color-level: -10; - -$table-border-color: lighten( $dark, 20% ); -$table-active-bg: rgba($white, .075); -$table-head-color: $white; - -/*$navbar-light-color: ; -$navbar-light-hover-color: ; -$navbar-light-active-color: $white; -$navbar-light-disabled-color: rgba($white, .25); -$navbar-light-toggler-icon-bg: url("data:image/svg+xml,"); -$navbar-light-toggler-border-color: rgba($white, .1);*/ -$dropdown-bg: $card-bg; -$dropdown-link-color: rgba($white, .5); -$dropdown-link-hover-color: rgba($white, .75); -$dropdown-link-hover-bg: lighten( $dropdown-bg, 10% ); - -.container-fullwidth { - margin: 0 auto; - width: 100%; -} - -@import "./node_modules/bootstrap/scss/mixins"; -@import "./node_modules/bootstrap/scss/utilities"; - -$all-colors: map-merge-multiple($blues, $indigos, $purples, $pinks, $reds, $oranges, $yellows, $greens, $teals, $cyans, $grays, $dm-grays); - -$utilities: map-merge( - $utilities, - ( - "color": map-merge( - map-get($utilities, "color"), - ( - values: map-merge( - map-get(map-get($utilities, "color"), "values"), - ( - $all-colors - ), - ), - ), - ), - ) -); - -$utilities: map-merge( - $utilities, - ( - "background-color": map-merge( - map-get($utilities, "background-color"), - ( - values: map-merge( - map-get(map-get($utilities, "background-color"), "values"), - ( - $all-colors - ), - ), - ), - ), - ) -); - -// import /_sass/bootstrap.scss -@import "./node_modules/bootstrap/scss/bootstrap"; -@import "pg-font"; -@import "flag-icon"; - -$svg-primary: $primary; -$svg-dark: $light; -$svg-light: $card-bg; -.textColor { // Navbar logo text - fill: $light; -} - -.post-info, .post-title { - color: $light; - display: inline; - padding: $spacer; - /* Needs prefixing */ - -webkit-box-decoration-break: clone; - box-decoration-break: clone; -} - -mark, .mark { - color: $body-color; -} - -@import "custom"; diff --git a/assets/fonts/pg-font/pg-font.eot b/assets/fonts/pg-font/pg-font.eot deleted file mode 100644 index 8981ed49..00000000 Binary files a/assets/fonts/pg-font/pg-font.eot and /dev/null differ diff --git a/assets/fonts/pg-font/pg-font.svg b/assets/fonts/pg-font/pg-font.svg deleted file mode 100644 index b3d51c43..00000000 --- a/assets/fonts/pg-font/pg-font.svg +++ /dev/null @@ -1,218 +0,0 @@ - - - - -Created by FontForge 2022-03-20T10:13:48+00:00 - By elitejake - -CC0 1.0 Universal Public Domain Dedication. -See the license here: https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE - - - - - - - - - - - - - - - - - - diff --git a/assets/fonts/pg-font/pg-font.ttf b/assets/fonts/pg-font/pg-font.ttf deleted file mode 100644 index 0cc3e40f..00000000 Binary files a/assets/fonts/pg-font/pg-font.ttf and /dev/null differ diff --git a/assets/fonts/pg-font/pg-font.woff b/assets/fonts/pg-font/pg-font.woff deleted file mode 100644 index 13603dd9..00000000 Binary files a/assets/fonts/pg-font/pg-font.woff and /dev/null differ diff --git a/assets/fonts/pg-font/pg-font.woff2 b/assets/fonts/pg-font/pg-font.woff2 deleted file mode 100644 index c5b7db91..00000000 Binary files a/assets/fonts/pg-font/pg-font.woff2 and /dev/null differ diff --git a/assets/img/legacy_svg/3rd-party/cryptpad.svg b/assets/img/legacy_svg/3rd-party/cryptpad.svg deleted file mode 100644 index 71075223..00000000 --- a/assets/img/legacy_svg/3rd-party/cryptpad.svg +++ /dev/null @@ -1,2 +0,0 @@ - - diff --git a/assets/img/legacy_svg/3rd-party/writeas.svg b/assets/img/legacy_svg/3rd-party/writeas.svg deleted file mode 100644 index 1cdd0ca5..00000000 --- a/assets/img/legacy_svg/3rd-party/writeas.svg +++ /dev/null @@ -1,2 +0,0 @@ - - diff --git a/assets/js/main.js b/assets/js/main.js deleted file mode 100644 index 4405e35c..00000000 --- a/assets/js/main.js +++ /dev/null @@ -1,7 +0,0 @@ -document.querySelectorAll(".onclick-select").forEach(element => { - element.addEventListener("click", element.select); -}); -var tooltipTriggerList = [].slice.call(document.querySelectorAll('[data-bs-toggle="tooltip"]')) -var tooltipList = tooltipTriggerList.map(function (tooltipTriggerEl) { - return new bootstrap.Tooltip(tooltipTriggerEl) -}) diff --git a/assets/js/sortable.min.js b/assets/js/sortable.min.js deleted file mode 100644 index 242074c4..00000000 --- a/assets/js/sortable.min.js +++ /dev/null @@ -1,2 +0,0 @@ -/*! sortable.js 0.5.0 */ -(function(){var a,b,c,d,e,f;a="table[data-sortable]",c=/^-?[£$¤]?[\d,.]+%?$/,f=/^\s+|\s+$/g,e="ontouchstart"in document.documentElement,b=e?"touchstart":"click",d={init:function(){var b,c,e,f,g;for(c=document.querySelectorAll(a),g=[],e=0,f=c.length;f>e;e++)b=c[e],g.push(d.initTable(b));return g},initTable:function(a){var b,c,e,f,g;if(1===a.tHead.rows.length&&"true"!==a.getAttribute("data-sortable-initialized")){for(a.setAttribute("data-sortable-initialized","true"),e=a.querySelectorAll("th"),b=f=0,g=e.length;g>f;b=++f)c=e[b],"false"!==c.getAttribute("data-sortable")&&d.setupClickableTH(a,c,b);return a}},setupClickableTH:function(a,c,e){var f;return f=d.getColumnType(a,e),c.addEventListener(b,function(){var b,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u;for(j="true"===this.getAttribute("data-sorted"),k=this.getAttribute("data-sorted-direction"),b=j?"ascending"===k?"descending":"ascending":f.defaultSortDirection,m=this.parentNode.querySelectorAll("th"),n=0,q=m.length;q>n;n++)c=m[n],c.setAttribute("data-sorted","false"),c.removeAttribute("data-sorted-direction");for(this.setAttribute("data-sorted","true"),this.setAttribute("data-sorted-direction",b),l=a.tBodies[0],h=[],t=l.rows,o=0,r=t.length;r>o;o++)g=t[o],h.push([d.getNodeValue(g.cells[e]),g]);for(j?h.reverse():h.sort(f.compare),u=[],p=0,s=h.length;s>p;p++)i=h[p],u.push(l.appendChild(i[1]));return u})},getColumnType:function(a,b){var e,f,g,h,i;for(i=a.tBodies[0].rows,g=0,h=i.length;h>g;g++)if(e=i[g],f=d.getNodeValue(e.cells[b]),""!==f&&f.match(c))return d.types.numeric;return d.types.alpha},getNodeValue:function(a){return a?null!==a.getAttribute("data-value")?a.getAttribute("data-value"):"undefined"!=typeof a.innerText?a.innerText.replace(f,""):a.textContent.replace(f,""):""},types:{numeric:{defaultSortDirection:"descending",compare:function(a,b){var c,d;return c=parseFloat(a[0].replace(/[^0-9.-]/g,"")),d=parseFloat(b[0].replace(/[^0-9.-]/g,"")),isNaN(c)&&(c=0),isNaN(d)&&(d=0),d-c}},alpha:{defaultSortDirection:"ascending",compare:function(a,b){var c,d;return c=a[0].toLowerCase(),d=b[0].toLowerCase(),c===d?0:d>c?-1:1}}}},setTimeout(d.init,0),window.Sortable=d}).call(this); \ No newline at end of file diff --git a/blog.html b/blog.html deleted file mode 100644 index 33e77912..00000000 --- a/blog.html +++ /dev/null @@ -1,13 +0,0 @@ ---- -layout: page -title: Blog -permalink: /blog/ ---- - -
-
- {% for post in site.posts %} - {% include blog-card.html %} - {% endfor %} -
-
diff --git a/collections/_evergreen/browsers.md b/collections/_evergreen/browsers.md deleted file mode 100644 index b4f51c4d..00000000 --- a/collections/_evergreen/browsers.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -layout: evergreen -title: Browser Recommendations -description: | - These are our current web browser recommendations and settings. We recommend keeping extensions to a minimum: they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. ---- - -## General Recommendations -{% for item_hash in site.data.software.browsers %} -{% assign item = item_hash[1] %} - -{% if item.type == "Recommendation" %} -{% include recommendation-card.html %} -{% endif %} - -{% endfor %} - -## Desktop Browser Recommendations -{% for item_hash in site.data.software.browsers-desktop %} -{% assign item = item_hash[1] %} - -{% if item.type == "Recommendation" %} -{% include recommendation-card.html %} -{% endif %} - -{% endfor %} - -## Mobile Browser Recommendations -On Android, Mozilla's engine [GeckoView](https://mozilla.github.io/geckoview/) has yet to support [site isolation](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) or enable [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196). Firefox on Android also doesn't yet have [HTTPS-Only mode](https://github.com/mozilla-mobile/fenix/issues/16952#issuecomment-907960218) built-in. We do not recommend Firefox or any Gecko based browsers at this time. - -On iOS all web browsers use [WKWebView](https://developer.apple.com/documentation/webkit/wkwebview), so all browsers on the App Store are essentially Safari under the hood. - -{% for item_hash in site.data.software.browsers-mobile %} -{% assign item = item_hash[1] %} - -{% if item.type == "Recommendation" %} -{% include recommendation-card.html %} -{% endif %} - -{% endfor %} - -## Additional Resources -{% for item_hash in site.data.software.browsers-resources %} -{% assign item = item_hash[1] %} - -{% if item.type == "Recommendation" %} -{% include recommendation-card.html %} -{% endif %} - -{% endfor %} diff --git a/collections/_evergreen/cloud.md b/collections/_evergreen/cloud.md deleted file mode 100644 index 759326bf..00000000 --- a/collections/_evergreen/cloud.md +++ /dev/null @@ -1,17 +0,0 @@ ---- -layout: evergreen -title: Cloud Storage -description: | - If you are currently using a Cloud Storage Service like Dropbox, Google Drive, Microsoft OneDrive or Apple iCloud, you are putting complete trust in your service provider to not look at your files. - - Consider reducing the need to trust your provider, by using an alternative below that supports [end-to-end encryption](https://wikipedia.org/wiki/End-to-end_encryption) (E2EE). ---- - -{% for item_hash in site.data.providers.cloud %} -{% assign item = item_hash[1] %} - -{% if item.type == "Recommendation" %} -{% include recommendation-card.html %} -{% endif %} - -{% endfor %} diff --git a/collections/_evergreen/qubes.md b/collections/_evergreen/qubes.md deleted file mode 100644 index 16e18485..00000000 --- a/collections/_evergreen/qubes.md +++ /dev/null @@ -1,16 +0,0 @@ ---- -layout: evergreen -title: Qubes OS -mathjax: false -description: | - Qubes OS is a distribution of Linux that uses [Xen](https://en.wikipedia.org/wiki/Xen) to provide app isolation. ---- - -{% for item_hash in site.data.operating-systems.qubes %} -{% assign item = item_hash[1] %} - -{% if item.type == "Recommendation" %} -{% include recommendation-card.html %} -{% endif %} - -{% endfor %} diff --git a/collections/_evergreen/real-time-communication.md b/collections/_evergreen/real-time-communication.md deleted file mode 100644 index 1058570d..00000000 --- a/collections/_evergreen/real-time-communication.md +++ /dev/null @@ -1,152 +0,0 @@ ---- -layout: evergreen -title: Real-Time Communication -description: | - We only recommend messengers that support strong [end-to-end encryption](https://en.wikipedia.org/wiki/End-to-end_encryption) (E2EE) and have been been independently [audited](https://en.wikipedia.org/wiki/Information_security_audit#The_audited_systems) to ensure their cryptography works as intended. The selection listed here is [free and open-source software](https://en.wikipedia.org/wiki/Free_and_open-source_software) (FOSS), ensuring that the code can be verified by experts now and in the future. ---- - -## Encrypted Instant Messengers -{% for item_hash in site.data.software.messengers %} -{% assign item = item_hash[1] %} - -{% if item.type == "Recommendation" %} -{% include recommendation-card.html %} -{% endif %} -{% endfor %} - -## Types of Communication Networks -There are several network architectures commonly used to relay messages between users. These networks can provide different different privacy guarantees, which is why it's worth considering your [threat model](https://en.wikipedia.org/wiki/Threat_model) when making a decision about which app to use. - -### Centralized Networks -{% capture markdown_text %} -Centralized messengers are those where all participants are on the same server or network of servers controlled by the same organization. - -Some self-hosted messengers allow you to set up your own server. Self-hosting can provide additional privacy guarantees such as no usage logs or limited access to metadata (data about who is talking to whom). Self-hosted centralized messengers are isolated and everyone must be on the same server to communicate. -{% endcapture %} -{% include media-left.html text=markdown_text src="/assets/img/layout/network-centralized.svg" alt="Centralized network" %} - -
-
-
-

Advantages

-
    -
  • New features and changes can be implemented more quickly.
    • -
  • Easier to get started with and to find contacts.
    • -
  • Most mature and stable features ecosystems, as they are easier to program in a centralized software.
    • -
  • Privacy issues may be reduced when you trust a server that you're self-hosting.
    • -
-
-
-

Disadvantages

-
    -
  • Can include restricted control or access. This can include things like:
    • -
      -
    • Being forbidden from connecting third-party clients to the centralized network that might provide for greater customization or better user experience. Often defined in Terms and Conditions of usage.
      • -
    • Poor or no documentation for third-party developers.
      • -
    -
  • The ownership, privacy policy, and operations of the service can change easily when a single entity controls it, potentially compromising the service later on.
    • -
  • Self hosting requires effort and knowledge of how to set up a service.
    • -
-
-
-
- -### Federated Networks -{% capture markdown_text %} -Federated messengers use multiple, independent, decentralized servers that are able to talk to each other (email is one example of a federated service). Federation allows system administrators to control their own server and still be a part of the larger communications network. - -When self-hosted, users of a federated server can discover and communicate with users of other servers, although some servers may choose to remain private by being non-federated (e.g., work team server). -{% endcapture %} -{% include media-left.html text=markdown_text src="/assets/img/layout/network-decentralized.svg" alt="Decentralized network" %} - -
-
-
-

Advantages

-
    -
  • Allows for greater control over your own data when running your own server.
    • -
  • Allows you to choose who to trust your data with by choosing between multiple "public" servers.
    • -
  • Often allows for third party clients which can provide a more native, customized, or accessible experience.
    • -
  • Server software can be verified that it matches public source code, assuming you have access to the server or you trust the person who does (e.g., a family member)
    • -
-
-
-

Disadvantages

-
    -
  • Adding new features is more complex, because these features need to be standardized and tested to ensure they work with all servers on the network.
    • -
  • Due to the previous point, features can be lacking, or incomplete or working in unexpected ways compared to centralized platforms, such as message relay when offline or message deletion.
    • -
  • Some metadata may be available (e.g., information like "who is talking to whom," but not actual message content if E2EE is used).
    • -
  • Federated servers generally require trusting your server's administrator. They may be a hobbyist or otherwise not a "security professional," and may not serve standard documents like a privacy policy or terms of service detailing how your data is utilized.
    • -
  • Server administrators sometimes choose to block other servers, which are a source of unmoderated abuse or break general rules of accepted behavior. This will hinder your ability to communicate with users on those servers.
    • -
-
-
-
- -### Peer-to-Peer (P2P) Networks -{% capture markdown_text %} -[P2P](https://en.wikipedia.org/wiki/Peer-to-peer) messengers connect to a [distributed network](https://en.wikipedia.org/wiki/Distributed_networking) of nodes to relay a message to the recepient without a third-party server. - -Clients (peers) usually find each other through the use of a [distributed computing](https://en.wikipedia.org/wiki/Distributed_computing) network. Examples of this include [Distributed Hash Tables](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT), used by [torrents](https://en.wikipedia.org/wiki/BitTorrent_(protocol)) and [IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) for example. Another approach is proximity based networks, where a connection is established over WiFi or Bluetooth (for example, Briar or the [Scuttlebutt](https://www.scuttlebutt.nz) social network protocol). - -Once a peer has found a route to its contact via any of these methods, a direct connection between them is made. Although messages are usually encrypted, an observer can still deduce the location and identity of the sender and recipient. - -P2P networks do not use servers, as users communicate directly between each others, and hence cannot be self-hosted. However, some additional services may rely on centralized servers, such as users discovery or offline messages relaying, which can benefit from self-hosting. -{% endcapture %} -{% include media-left.html text=markdown_text src="/assets/img/layout/network-distributed.svg" alt="Distributed network" %} - -
-
-
-

Advantages

-
    -
  • Minimal information is exposed to third parties.
    • -
  • Modern P2P platforms implement end-to-end encryption by default. There are no servers that could potentially intercept and decrypt your transmissions, unlike centralized and federated models.
    • -
-
-
-

Disadvantages

-
    -
  • Reduced feature set:
    • -
      -
    • Messages can only be sent when both peers are online, however, your client may store messages locally to wait for the contact to return online.
      • -
    • Generally increases battery usage on mobile devices, because the client must stay connected to the distributed network to learn about who is online.
      • -
    • Some common messenger features may not be implemented or incompletely, such as message deletion.
      • -
    -
  • Your IP address and that of the contacts you're communicating with may be exposed if you do not use the software in conjunction with a VPN or self contained network, such as Tor or I2P. Many countries have some form of mass surveillance and/or metadata retention.
    • -
-
-
-
- -### Anonymous Routing -{% capture markdown_text %} -A messenger using [anonymous routing](https://doi.org/10.1007/978-1-4419-5906-5_628) hides either the identity of the sender, the receiver, or evidence that they have been communicating. Ideally, a messenger should hide all three. - -There are [many](https://doi.org/10.1145/3182658) different ways to implement anonymous routing. One of the most famous is [onion routing](https://en.wikipedia.org/wiki/Onion_routing) (i.e. [Tor](https://en.wikipedia.org/wiki/Tor_(anonymity_network))), which communicates encrypted messages through a virtual [overlay network](https://en.wikipedia.org/wiki/Overlay_network) that hides the location of each node as well as the recipient and sender of each message. The sender and recipient never interact directly, and only meet through a secret rendezvous node, so that there is no leak of IP addresses nor physical location. Nodes cannot decrypt messages nor the final destination, only the recipient can. Each intermediary node can only decrypt a part that indicates where to send the still encrypted message next, until it arrives at the recipient who can fully decrypt it, hence the "onion layers". - -Self-hosting a node in an anonymous routing network does not provide the hoster with additional privacy benefits, but rather contributes to the whole network's resilience against identification attacks for everyone's benefit. -{% endcapture %} -{% include media-left.html text=markdown_text src="/assets/img/layout/network-anonymous-routing.svg" alt="Anonymous routing network" %} - -
-
-
-

Advantages

-
    -
  • Minimal to no information is exposed to other parties.
    • -
  • Messages can be relayed in a decentralized manner even if one of the parties is offline.
    • -
-
-
-

Disadvantages

-
    -
  • Slow message propagation.
    • -
  • Often limited to fewer media types, mostly text since the network is slow.
    • -
  • Less reliable if nodes are selected by randomized routing, some nodes may be very far from the sender and receiver, adding latency or even failing to transmit messages if one of the nodes goes offline.
    • -
  • More complex to get started as the creation and secured backup of a cryptographic private key is required.
    • -
  • Just like other decentralized platforms, adding features is more complex for developers than on a centralized platform, hence features may be lacking or incompletely implemented, such as offline message relaying or message deletion.
    • -
-
-
-
diff --git a/collections/_evergreen/router.md b/collections/_evergreen/router.md deleted file mode 100644 index 7bc05985..00000000 --- a/collections/_evergreen/router.md +++ /dev/null @@ -1,16 +0,0 @@ ---- -layout: evergreen -title: Router -mathjax: false -description: | - Below are a few alternative operating systems, that can be used on routers, Wi-Fi access points etc. ---- - -{% for item_hash in site.data.operating-systems.router %} -{% assign item = item_hash[1] %} - -{% if item.type == "Recommendation" %} -{% include recommendation-card.html %} -{% endif %} - -{% endfor %} diff --git a/collections/_evergreen/search-engines.md b/collections/_evergreen/search-engines.md deleted file mode 100644 index 84a51fa0..00000000 --- a/collections/_evergreen/search-engines.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -layout: evergreen -title: Search Engines -description: | - Use a search engine that doesn't build an advertising profile based on your searches. - - The recommendations here are based on the merits of each service's privacy policy. There is **no guarantee** that these privacy policies are honored. - - Consider using a [VPN](/providers/vpn) or [Tor](https://www.torproject.org/) if your threat model requires hiding your IP address from the search provider. ---- - -{% for item_hash in site.data.providers.search-engines %} -{% assign item = item_hash[1] %} - -{% if item.type == "Recommendation" %} -{% include recommendation-card.html %} -{% endif %} - -{% endfor %} diff --git a/collections/_evergreen/video-streaming.md b/collections/_evergreen/video-streaming.md deleted file mode 100644 index 91de2b6c..00000000 --- a/collections/_evergreen/video-streaming.md +++ /dev/null @@ -1,30 +0,0 @@ ---- -layout: evergreen -title: Video Streaming -description: | - The primary threat when using a video streaming platform is that your streaming habits and subscription lists could be used to profile you. You should combine these tools with a [VPN](/providers/vpn/) or [Tor](https://www.torproject.org/) to make it harder to profile your usage. ---- - -## Clients - -{% for item_hash in site.data.software.video-streaming-clients %} -{% assign item = item_hash[1] %} - -{% if item.type == "Recommendation" %} -{% include recommendation-card.html %} -{% endif %} - -{% endfor %} - -## Web-based Frontends - - - -{% for item_hash in site.data.software.video-streaming-front-ends %} -{% assign item = item_hash[1] %} - -{% if item.type == "Recommendation" %} -{% include recommendation-card.html %} -{% endif %} - -{% endfor %} diff --git a/collections/_evergreen/android.md b/docs/android.md similarity index 58% rename from collections/_evergreen/android.md rename to docs/android.md index f87f304c..23137c96 100644 --- a/collections/_evergreen/android.md +++ b/docs/android.md @@ -1,22 +1,73 @@ --- -layout: evergreen -title: Android -mathjax: true -description: | - Android is a secure operating system that has strong [app sandboxing](https://source.android.com/security/app-sandbox), [Verified Boot](https://source.android.com/security/verifiedboot), and a robust [permission](https://developer.android.com/guide/topics/permissions/overview) control system. +icon: 'fontawesome/brands/android' +--- +Android is a secure operating system that has strong [app sandboxing](https://source.android.com/security/app-sandbox), [Verified Boot](https://source.android.com/security/verifiedboot), and a robust [permission](https://developer.android.com/guide/topics/permissions/overview) control system. - The main privacy concern with most Android devices is that they usually include [Google Play Services](https://developers.google.com/android/guides/overview). This component is proprietary, [closed source](https://en.wikipedia.org/wiki/Proprietary_software), has a privileged role on your phone, and may collect private user information. It is neither a part of the [Android Open Source Project](https://source.android.com/) (AOSP) nor is it included with the below derivatives. ---- +The main privacy concern with most Android devices is that they usually include [Google Play Services](https://developers.google.com/android/guides/overview). This component is proprietary, [closed source](https://en.wikipedia.org/wiki/Proprietary_software), has a privileged role on your phone, and may collect private user information. It is neither a part of the [Android Open Source Project](https://source.android.com/) (AOSP) nor is it included with the below derivatives. ## AOSP Derivatives -{% for item_hash in site.data.operating-systems.android %} -{% assign item = item_hash[1] %} -{% if item.type == "Recommendation" %} -{% include recommendation-card.html %} -{% endif %} +### GrapheneOS -{% endfor %} +!!! recommendation + + ![GrapheneOS logo](/assets/img/android/grapheneos.svg#only-light){ align=right } + ![GrapheneOS logo](/assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + **GrapheneOS** is the best choice when it comes to privacy and security. + + GrapheneOS provides additional [security hardening](https://en.wikipedia.org/wiki/Hardening_(computing)) and privacy improvements. It has a [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), network and sensor permissions, and various other [security features](https://grapheneos.org/features). GrapheneOS also comes with full firmware updates and signed builds, so [verified boot](https://source.android.com/security/verifiedboot) is fully supported. + + [Visit grapheneos.org](https://grapheneos.org/){ .md-button .md-button--primary } [Privacy Policy](https://grapheneos.org/faq#privacy-policy){ .md-button } + +Notably, GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play). Google Play Services can be run fully sandboxed like a regular user app and contained in a work profile or user [profile](/android/#android-security-privacy) of your choice. This means that you can run apps dependant on Play Services, such as those that require push notifications using Google's [Firebase Cloud Messaging](https://firebase.google.com/docs/cloud-messaging/) service. GrapheneOS allows you to take advantage of most [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) whilst having full user control over their permissions and access. + +Currently, only [Pixel phones](https://grapheneos.org/faq#device-support) meet its hardware security requirement and are supported. + +!!! attention + + GrapheneOS's "extended support" devices do not have full security patches (firmware updates) due to the original equipment manufacturer (OEM) discontinuing support. These devices cannot be considered completely secure. + +### CalyxOS + +!!! recommendation + + ![CalyxOS logo](/assets/img/android/calyxos.svg){ align=right } + + **CalyxOS** is a decent alternative to GrapheneOS. + + It has some privacy features on top of AOSP, including [Datura firewall](https://calyxos.org/docs/tech/datura-details), [Signal](https://signal.org) integration in the dialer app, and a built in panic button. CalyxOS also comes with firmware updates and signed builds, so [verified boot](https://source.android.com/security/verifiedboot) is fully supported. + + To accomodate users who need Google Play Services, CalyxOS optionally includes [MicroG](https://microg.org/). With MicroG, CalyxOS also bundles in the [Mozilla](https://location.services.mozilla.com/) and [DejaVu](https://github.com/n76/DejaVu) location services. + + Currently, CalyxOS only supports [Pixel phones](https://calyxos.org/docs/guide/device-support/). + + [Visit calyxos.org](https://calyxos.org/){ .md-button .md-button--primary } [Privacy Policy](https://calyxinstitute.org/legal/privacy-policy){ .md-button } + +!!! attention + + CalyxOS's "extended support" does not have full security patches due to the original equipment manufacturer (OEM) discontinuing support; therefore, they cannot be considered completely secure. + +### DivestOS + +!!! recommendation + + ![DivestOS logo](/assets/img/android/divestos.svg){ align=right } + + **DivestOS** is a [soft-fork](https://en.wikipedia.org/wiki/Fork_(software_development)#Forking_of_free_and_open-source_software) of [LineageOS](https://lineageos.org/). + DivestOS inherits many [supported devices](https://divestos.org/index.php?page=devices&base=LineageOS) from LineageOS. It has signed builds, making it possible to have [verified boot](https://source.android.com/security/verifiedboot) on some non-Pixel devices. + + [Visit divestos.org](https://divestos.org){ .md-button .md-button--primary } [Privacy Policy](https://divestos.org/index.php?page=privacy_policy){ .md-button } + +DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, a custom [hosts](https://divested.dev/index.php?page=dnsbl) file, and [F-Droid](https://www.f-droid.org) as the app store. It includes [UnifiedNlp](https://github.com/microg/UnifiedNlp) for network location and some hardening with [Mulch Webview](https://gitlab.com/divested-mobile/mulch). Users can also select the [Bromite SystemWebView](https://www.bromite.org/system_web_view) in ⚙️ Settings → Developer options → Webview implementation. DivestOS also includes kernel patches from GrapheneOS and enables security features in [defconfig](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L698). + +DivestOS 16.0, 17.1, and 18.1 implements GrapheneOS's [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) permission toggle and [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc). + +!!! attention + + DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) varies across the devices it supports. For Pixel phones, we still recommend using GrapheneOS or CalyxOS. For other supported devices, DivestOS is a good alternative. + + Not all of the supported devices have [verified boot](https://source.android.com/security/verifiedboot), and some perform it better than others. ## Android security and privacy features ### User Profiles @@ -47,14 +98,152 @@ Android 7 and above supports a VPN killswitch and it is available without the ne Modern Android devices have global toggles for disabling [Bluetooth](https://en.wikipedia.org/wiki/Bluetooth) and location services. Android 12 introduced toggles for the camera and microphone. When not in use, we recommend disabling these features. Apps cannot use disabled features (even if granted individual permission) until re-enabled. ## Recommended Apps -{% for item_hash in site.data.operating-systems.android-applications %} -{% assign item = item_hash[1] %} -{% if item.type == "Recommendation" %} -{% include recommendation-card.html %} -{% endif %} +### Orbot + +!!! recommendation + + ![Orbot logo](/assets/img/android/orbot.svg){ align=right } + + **Orbot** is a free proxy app that routes your connections through the Tor Network. + + [Visit orbot.app](https://orbot.app/){ .md-button .md-button--primary } + + **Downloads** + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:pg-f-droid: F-Droid](https://guardianproject.info/fdroid) + - [:fontawesome-brands-github: GitHub](https://github.com/guardianproject/orbot) + - [:fontawesome-brands-gitlab: GitLab](https://gitlab.com/guardianproject/orbot) + +Orbot can proxy individual apps if they support SOCKS or HTTP proxying. It can also proxy all your network connections using [VpnService](https://developer.android.com/reference/android/net/VpnService) and can be used with the VPN killswitch (⚙️ Settings → Network & internet → VPN → ⚙️ → Block connections without VPN). + +For resistance against traffic analysis attacks, consider enabling *Isolate Destination Address* ( ⁝ →Settings → Connectivity). This will use a completely different Tor Circuit (different middle relay and exit nodes) for every domain you connect to. + +!!! attention + + Orbot is often outdated on the Guardian Project's [F-Droid repository](https://guardianproject.info/fdroid) and [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) so consider downloading directly from the [GitHub repository](https://github.com/guardianproject/orbot) instead. + + All versions are signed using the same signature so they should be compatible with each other. + + +### Shelter + +!!! recommendation + + ![Shelter logo](/assets/img/android/shelter.svg){ align=right } + + **Shelter** is an app that helps you leverage the Android work profile to isolate other apps. + + Shelter supports blocking contact search cross profiles and sharing files across profiles via the default file manager ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)). + + [Visit gitea.angry.im](https://gitea.angry.im/PeterCxy/Shelter){ .md-button .md-button--primary } + + **Downloads:** + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter) + - [:pg-f-droid: F-Droid](https://f-droid.org/en/packages/net.typeblog.shelter) + - [:fontawesome-brands-github: GitHub](https://github.com/PeterCxy/Shelter) + - [:fontawesome-brands-git-alt: Source](https://gitea.angry.im/PeterCxy/Shelter) + +!!! attention + + As CalyxOS includes a device controller, we recommend using their built in work profile instead. + + Shelter is recommended over [Insular](https://secure-system.gitlab.io/Insular/) and [Island](https://github.com/oasisfeng/island) as it supports [contact search blocking](https://secure-system.gitlab.io/Insular/faq.html). + + When using Shelter, you are placing complete trust in its developer as Shelter would be acting as a [Device Admin](https://developer.android.com/guide/topics/admin/device-admin) for the work profile and has extensive access to the data stored within it. + + +### Auditor + +!!! recommendation + + ![Auditor logo](/assets/img/android/auditor.svg#only-light){ align=right } + ![Auditor logo](/assets/img/android/auditor-dark.svg#only-dark){ align=right } + + **Auditor** is an app which leverages hardware security features to provide device integrity monitoring for [supported devices](https://attestation.app/about#device-support). Currently it works with GrapheneOS and the device's stock operating system. + + [Visit attestation.app](https://attestation.app){ .md-button .md-button--primary } + + **Downloads:** + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor) + - [:fontawesome-brands-github: GitHub](https://github.com/GrapheneOS/Auditor) + +Auditor performs attestation and intrusion detection by: + + - Using a [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) model between an *auditor* and *auditee*, the pair establish a private key in the [hardware-backed keystore](https://source.android.com/security/keystore/) of the *Auditor*. + - The *auditor* can either be another instance of the Auditor app or the [Remote Attestation Service](https://attestation.app). + - The *auditor* records the current state and configuration of the *auditee*. + - Should tampering with the operating system of the *auditee* after the pairing is complete, the auditor will be aware of the change in the device state and configurations. + - The user will be alerted to the change. + +No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring. + +If your [threat model](/threat-modeling/) requires privacy you could consider using Orbot or a VPN to hide your IP address from the attestation service. +To make sure that your hardware and operating system is genuine, [perform local attestation](https://grapheneos.org/install/web#verifying-installation) immediately after the device has been installed and prior to any internet connection. + +### Secure Camera + +!!! recommendation + + ![Secure camera logo](/assets/img/android/secure_camera.svg#only-light){ align=right } + ![Secure camera logo](/assets/img/android/secure_camera-dark.svg#only-dark){ align=right } + + **Secure Camera** is an camera app focused on privacy and security which can capture images, videos, and QR codes. CameraX vendor extensions (Portrait, HDR, Night Sight, Face Retouch, and Auto) are also supported on available devices. + + [Visit github.com](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + + **Downloads:** + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:fontawesome-brands-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + +Main privacy features include: + +- Auto removal of [Exif](https://en.wikipedia.org/wiki/Exif) metadata (enabled by default) +- Use of the new [Media](https://developer.android.com/training/data-storage/shared/media) API, therefore [storage permissions](https://developer.android.com/training/data-storage) are not required +- Microphone permission not required unless you want to record sound + +!!! note + + Metadata is not currently deleted from video files but that is planned. + + The image orientation metadata is not deleted. If you enable location (in Secure Camera) that **won't** be deleted either. If you want to delete that later you will need to use an external app such as [Scrambled Exif](https://gitlab.com/juanitobananas/scrambled-exif/). + +### Secure PDF Viewer + +!!! recommendation + + ![Secure PDF Viewer logo](/assets/img/android/secure_pdf_viewer.svg#only-light){ align=right } + ![Secure PDF Viewer logo](/assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right } + + **Secure PDF Viewer** is a PDF viewer based on [pdf.js](https://en.wikipedia.org/wiki/PDF.js) that doesn't require any permissions. The PDF is fed into a [sandboxed](https://en.wikipedia.org/wiki/Sandbox_(software_development)) [webview](https://developer.android.com/guide/webapps/webview). This means that it doesn't require permission directly to access content or files. + + [Content-Security-Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) is used to enforce that the JavaScript and styling properties within the WebView are entirely static content. + + [Visit github.com](https://github.com/GrapheneOS/PdfViewer){ .md-button .md-button--primary } + + **Downloads:** + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) + - [:fontawesome-brands-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) + +### PrivacyBlur + +!!! recommendation + + ![PrivacyBlur logo](/assets/img/android/privacyblur.svg){ align=right } + + **PrivacyBlur** is a free app which can blur sensitive portions of pictures before sharing them online. + + [Visit privacyblur.app](https://privacyblur.app/){ .md-button .md-button--primary } + + **Downloads:** + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur) + - [:pg-f-droid: F-Droid](https://f-droid.org/en/packages/de.mathema.privacyblur/) + - [:fontawesome-brands-github: GitHub](https://github.com/MATHEMA-GmbH/privacyblur) + +!!! warning + + You should **never** use blur to redact [text in images](https://bishopfox.com/blog/unredacter-tool-never-pixelation). If you want to redact text in an image, draw a box over the text. For this we suggest [Pocket Paint](https://github.com/Catrobat/Paintroid) or [Imagepipe](https://codeberg.org/Starfish/Imagepipe). -{% endfor %} ## General Recommendations ### Avoid Root @@ -86,16 +275,16 @@ If you have a Google account we suggest enrolling in the [Advanced Protection Pr The Advanced Protection Program provides enhanced threat monitoring and enables: - * Stricter two factor authentication; e.g. that [U2F](https://en.wikipedia.org/wiki/Universal_2nd_Factor) **must** be used and disallows the use of [SMS OTPs](https://en.wikipedia.org/wiki/One-time_password#SMS), [TOTP](https://en.wikipedia.org/wiki/Time-based_one-time_password), and [OAuth](https://en.wikipedia.org/wiki/OAuth) - * Only Google and verified third party apps can access account data - * Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts - * Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome - * Stricter recovery process for accounts with lost credentials + - Stricter two factor authentication; e.g. that [U2F](https://en.wikipedia.org/wiki/Universal_2nd_Factor) or [FIDO2](https://en.wikipedia.org/wiki/WebAuthn) **must** be used and disallows the use of [SMS OTPs](https://en.wikipedia.org/wiki/One-time_password#SMS), [TOTP](https://en.wikipedia.org/wiki/Time-based_one-time_password), and [OAuth](https://en.wikipedia.org/wiki/OAuth) + - Only Google and verified third party apps can access account data + - Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts + - Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome + - Stricter recovery process for accounts with lost credentials For users that are using the privileged Google Play Services (common on stock operating systems), the Advanced Protection Program also comes with [additional benefits](https://support.google.com/accounts/answer/9764949?hl=en) such as: - * Not allowing app installation outside of the Google Play Store, the OS vendor's app store, or via [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge) - * Mandatory automatic device scanning with [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) - * Warning the user about unverified applications + - Not allowing app installation outside of the Google Play Store, the OS vendor's app store, or via [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge) + - Mandatory automatic device scanning with [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) + - Warning the user about unverified applications ### SafetyNet and Play Integrity API [SafetyNet](https://developer.android.com/training/safetynet/attestation) and the [Play Integrity APIs](https://developer.android.com/google/play/integrity) are generally used for [banking apps](https://grapheneos.org/usage#banking-apps). Many banking apps will work fine in GrapheneOS with sandboxed Play services, however some non-financal apps have their own crude anti-tampering mechanisms which might fail. GrapheneOS passes the `basicIntegrity` check, but not the certification check `ctsProfileMatch`. Devices with Android 8 or later have hardware attestation support which cannot be bypassed without leaked keys or serious vulnerabilities. @@ -108,8 +297,8 @@ All devices with Google Play Services installed automatically generate an [adver On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to ⚙️ Settings → Apps → Sandboxed Google Play → Google Settings → Ads and select **Delete advertising ID**. On Android distributions with privileged Google Play Services (such as stock OSes), the setting may be in one of several locations. Check - * ⚙️ Settings → Google → Ads - * ⚙️ Settings → Privacy → Ads + - ⚙️ Settings → Google → Ads + - ⚙️ Settings → Privacy → Ads Depending on your system, you will either be given the option to delete your advertising ID or to "Opt out of interest-based ads". You should delete the advertising ID if you are given the option to, and if you are not, we recommend that you opt out of interested-based ads and then reset your advertising ID. @@ -121,14 +310,13 @@ Avoid buying phones from mobile network operators. These often have a **locked b Be very **careful** about buying second hand phones from online marketplaces. Always check the reputation of the seller. If the device is stolen there's a possibility of [IMEI blacklisting](https://www.gsma.com/security/resources/imei-blacklisting/). There is also a risk involved with you being associated with the activity of the previous owner. We have these general tips: - - * If you're after a bargain on a Pixel device, we suggest buying an "**a**" model, just after the next flagship is released. Discounts are usually available because Google will be trying to clear their stock. - * Consider price beating options and specials offered at [brick and mortar](https://en.wikipedia.org/wiki/Brick_and_mortar) stores. - * Look at online community bargain sites in your country. These can alert you to good sales. - * The price per day for a device can be calculated as \\({\\text {EoL Date}-\\text{Current Date} \\over \\text{Cost}}\\). Google provides a [list](https://support.google.com/nexus/answer/4457705) of their supported devices. - * Do not buy devices that have reached or are near their end-of-life, additional firmware updates must be provided by the manufacturer. - * Do not buy preloaded LineageOS or /e/ OS phones or any Android phones without proper [Verified Boot](https://source.android.com/security/verifiedboot) support and firmware updates. These devices also have no way for you to check whether they've been tampered with. - * In short, if a device or Android distribution is not listed here, there is probably a good reason, so check our [discussions](https://github.com/privacyguides/privacyguides.org/discussions) page. + - If you're after a bargain on a Pixel device, we suggest buying an "**a**" model, just after the next flagship is released. Discounts are usually available because Google will be trying to clear their stock. + - Consider price beating options and specials offered at [brick and mortar](https://en.wikipedia.org/wiki/Brick_and_mortar) stores. + - Look at online community bargain sites in your country. These can alert you to good sales. + - The price per day for a device can be calculated as $\text {EoL Date}-\text{Current Date} \over \text{Cost}$. Google provides a [list](https://support.google.com/nexus/answer/4457705) of their supported devices. + - Do not buy devices that have reached or are near their end-of-life, additional firmware updates must be provided by the manufacturer. + - Do not buy preloaded LineageOS or /e/ OS phones or any Android phones without proper [Verified Boot](https://source.android.com/security/verifiedboot) support and firmware updates. These devices also have no way for you to check whether they've been tampered with. + - In short, if a device or Android distribution is not listed here, there is probably a good reason, so check our [discussions](https://github.com/privacyguides/privacyguides.org/discussions) page. The installation of GrapheneOS on a Pixel phone is easy with their [web installer](https://grapheneos.org/install/web). If you don't feel comfortable doing it yourself and are willing to spend a bit of extra money, check out the [NitroPhone](https://shop.nitrokey.com/shop) as they come preloaded with GrapheneOS from the reputable [Nitrokey](https://www.nitrokey.com/about) company. The GrapheneOS project is not currently affiliated with any vendor and cannot ensure the quality or security of their products. @@ -140,27 +328,32 @@ GrapheneOS's app store is available on [GitHub](https://github.com/GrapheneOS/Ap ## F-Droid F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third party repositories and not be confined to Google's [walled garden](https://en.wikipedia.org/wiki/Closed_platform) has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications, and is dedicated to free and open source software. However, there are problems with the official F-Droid client, their quality control, and how they build, sign and deliver packages, outlined in this [post](https://wonderfall.dev/fdroid-issues/). -### Recommended Client +### Droid-ify + The official F-Droid client targets a [low API level](https://wonderfall.dev/fdroid-issues/#3-low-target-api-level-sdk-for-client--apps) and does not utilize the [seamless updates](https://www.androidcentral.com/google-will-finally-bring-seamless-app-updates-alternative-app-stores-android-12) feature introduced in Android 12. Targeting lower API levels means that the F-Droid client cannot take advantage of the new improvements in the application sandboxes that comes with higher API levels. For automatic updates to work, the F-Droid client requires that the [Privileged Extension](https://f-droid.org/en/packages/org.fdroid.fdroid.privileged/) be included in the operating system, granting it more privileges than what a normal app would have, which is not great for security. To mitigate these problems, we recommend [Droid-ify](https://github.com/Iamlooker/Droid-ify) as it supports seamless updates on Android 12 and above without needing any special privileges and targets a higher API level. -{% for item_hash in site.data.operating-systems.android-fdroid %} -{% assign item = item_hash[1] %} +!!! recommendation -{% if item.type == "Recommendation" %} -{% include recommendation-card.html %} -{% endif %} + ![Droid-ify logo](assets/img/android/droid-ify.png){ align=right } -{% endfor %} + **Droid-ify** is a modern F-Droid client made with MaterialUI, forked from [Foxy Droid](https://github.com/kitsunyan/foxy-droid). -#### Where to get your applications + Unlike the official F-Droid client, Droid-ify supports seamless updates on Android 12 and above without the need for a privileged extension. If your Android distribution is on Android 12 or above and does not include the [F-Droid privileged extension](https://f-droid.org/en/packages/org.fdroid.fdroid.privileged/), it is highly recommended that you use Droid-ify instead of the official client. + + **Downloads:** + - [:fontawesome-brands-android: APK Download](https://android.izzysoft.de/repo/apk/com.looker.droidify) + - [:fontawesome-brands-github: GitHub](https://github.com/Iamlooker/Droid-ify) + +### Where to get your applications Sometimes the official F-Droid repository may fall behind on updates. F-Droid maintainers reuse package IDs while signing apps with their own keys, which is not ideal as it does give the F-Droid team ultimate trust. The Google Play version of some apps may contain unwanted telemetry or lack features that are available in the F-Droid version. The Google Play Store requires a Google account to login which is not great for privacy. The [Aurora Store](https://auroraoss.com/download/AuroraStore/) (a Google Play Store proxy) does not always work, though it does most of the time. We have these general tips: - * Check if the app developers have their own F-Droid repository first, e.g. [Bitwarden](https://bitwarden.com/), [Samourai Wallet](https://www.samouraiwallet.com/), or [Newpipe](https://newpipe.net/), which have their own repositories with less telemetry, additional features or faster updates. This is the ideal situation and you should be using these repositories if possible. - * Check if an app is available on the [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) repository. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers' own repositories. We recommend that you download the GitHub builds and install them manually first, then use IzzyOnDroid for any subsequent updates. This will ensure that the signature of the applications you get from IzzyOnDroid matches that of the developer and the packages have not been tampered with. - * Check if there are any differences between the F-Droid version and the Google Play Store version. Some applications like [IVPN](https://www.ivpn.net/) do not include certain features (eg [AntiTracker](https://www.ivpn.net/knowledgebase/general/antitracker-faq/)) in their Google Play Store build out of fear of censorship by Google. + + - Check if the app developers have their own F-Droid repository first, e.g. [Bitwarden](https://bitwarden.com/), [Samourai Wallet](https://www.samouraiwallet.com/), or [Newpipe](https://newpipe.net/), which have their own repositories with less telemetry, additional features or faster updates. This is the ideal situation and you should be using these repositories if possible. + - Check if an app is available on the [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) repository. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers' own repositories. We recommend that you download the GitHub builds and install them manually first, then use IzzyOnDroid for any subsequent updates. This will ensure that the signature of the applications you get from IzzyOnDroid matches that of the developer and the packages have not been tampered with. + - Check if there are any differences between the F-Droid version and the Google Play Store version. Some applications like [IVPN](https://www.ivpn.net/) do not include certain features (eg [AntiTracker](https://www.ivpn.net/knowledgebase/general/antitracker-faq/)) in their Google Play Store build out of fear of censorship by Google. Evaluate whether the additional features in the F-Droid build are worth the slower updates. Also think about whether faster updates from the Google Play Store are worth the potential privacy isues in your [threat model](/threat-modeling/). @@ -189,9 +382,9 @@ CalyxOS includes the [privileged extension](https://f-droid.org/en/packages/org. ### Additional hardening GrapheneOS improves upon [AOSP](https://source.android.com/) security with: - * **Hardened WebView:** Vanadium WebView requires [64-bit](https://en.wikipedia.org/wiki/64-bit_computing) processes on the [WebView](https://developer.android.com/reference/android/webkit/WebView) process and disables legacy [32-bit](https://en.wikipedia.org/wiki/32-bit_computing) processes. It uses hardened compiler options such as [`-fwrapv`](https://gcc.gnu.org/onlinedocs/gcc/Code-Gen-Options.html) and [`-fstack-protector-strong`](https://gcc.gnu.org/onlinedocs/gcc-4.9.3/gcc/Optimize-Options.html), which can help protect against [stack buffer overflows](https://en.wikipedia.org/wiki/Stack_buffer_overflow). [API](https://en.wikipedia.org/wiki/API)s such as the [battery status API](https://chromestatus.com/feature/4537134732017664) are disabled for privacy reasons. All system apps on GrapheneOS use the Vanadium WebView which means user installed apps that use WebView will also benefit from Vanadium's hardening. The [Vanadium patch set](https://github.com/GrapheneOS/Vanadium/tree/12/patches) is a lot more comprehensive than CalyxOS's [Chromium patch set](https://gitlab.com/CalyxOS/chromium-patches) which is derived from it. - * **Hardened Kernel:** GrapheneOS kernel includes some hardening from the [linux-hardened](https://github.com/GrapheneOS/linux-hardened) project and the [Kernel Self Protection Project (KSPP)](https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project). CalyxOS uses the [same kernel](https://calyxos.org/docs/development/build/kernel/) as regular Android with some minor modifications. - * **Hardened Memory Allocator:** GrapheneOS uses the [hardened malloc](https://github.com/GrapheneOS/hardened_malloc) subproject as its memory allocator. This focuses on hardening against [memory heap corruption](https://en.wikipedia.org/wiki/Memory_corruption). CalyxOS uses the default AOSP [Scudo Malloc](https://source.android.com/devices/tech/debug/scudo), which is generally [less effective](https://twitter.com/danielmicay/status/1033671709197398016). Hardened Malloc has uncovered vulnerabilities in AOSP which have been [fixed](https://github.com/GrapheneOS/platform_system_core/commit/be11b59725aa6118b0e1f0712572e835c3d50746) by GrapheneOS such as [CVE-2021-0703](https://nvd.nist.gov/vuln/detail/CVE-2021-0703). - * **Secure Exec Spawning:** GrapheneOS [spawns](https://en.wikipedia.org/wiki/Spawn_(computing)) fresh processes as opposed to using the [Zygote model](https://ayusch.com/android-internals-the-android-os-boot-process) used by AOSP and CalyxOS. The Zygote model weakens [Address Space Layout Randomization](https://en.wikipedia.org/wiki/Address_space_layout_randomization) (ASLR) and is considered [less secure](https://wenke.gtisc.gatech.edu/papers/morula.pdf). Creating [fresh processes](https://grapheneos.org/usage#exec-spawning) is safer but will have some performance penalty when launching a new application. These penalties are not really noticeable unless you have an [old device](https://support.google.com/nexus/answer/4457705) with slow storage such as the Pixel 3a/3a XL as it has [eMMC](https://en.wikipedia.org/wiki/MultiMediaCard#eMMC). + - **Hardened WebView:** Vanadium WebView requires [64-bit](https://en.wikipedia.org/wiki/64-bit_computing) processes on the [WebView](https://developer.android.com/reference/android/webkit/WebView) process and disables legacy [32-bit](https://en.wikipedia.org/wiki/32-bit_computing) processes. It uses hardened compiler options such as [`-fwrapv`](https://gcc.gnu.org/onlinedocs/gcc/Code-Gen-Options.html) and [`-fstack-protector-strong`](https://gcc.gnu.org/onlinedocs/gcc-4.9.3/gcc/Optimize-Options.html), which can help protect against [stack buffer overflows](https://en.wikipedia.org/wiki/Stack_buffer_overflow). [API](https://en.wikipedia.org/wiki/API)s such as the [battery status API](https://chromestatus.com/feature/4537134732017664) are disabled for privacy reasons. All system apps on GrapheneOS use the Vanadium WebView which means user installed apps that use WebView will also benefit from Vanadium's hardening. The [Vanadium patch set](https://github.com/GrapheneOS/Vanadium/tree/12/patches) is a lot more comprehensive than CalyxOS's [Chromium patch set](https://gitlab.com/CalyxOS/chromium-patches) which is derived from it. + - **Hardened Kernel:** GrapheneOS kernel includes some hardening from the [linux-hardened](https://github.com/GrapheneOS/linux-hardened) project and the [Kernel Self Protection Project (KSPP)](https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project). CalyxOS uses the [same kernel](https://calyxos.org/docs/development/build/kernel/) as regular Android with some minor modifications. + - **Hardened Memory Allocator:** GrapheneOS uses the [hardened malloc](https://github.com/GrapheneOS/hardened_malloc) subproject as its memory allocator. This focuses on hardening against [memory heap corruption](https://en.wikipedia.org/wiki/Memory_corruption). CalyxOS uses the default AOSP [Scudo Malloc](https://source.android.com/devices/tech/debug/scudo), which is generally [less effective](https://twitter.com/danielmicay/status/1033671709197398016). Hardened Malloc has uncovered vulnerabilities in AOSP which have been [fixed](https://github.com/GrapheneOS/platform_system_core/commit/be11b59725aa6118b0e1f0712572e835c3d50746) by GrapheneOS such as [CVE-2021-0703](https://nvd.nist.gov/vuln/detail/CVE-2021-0703). + - **Secure Exec Spawning:** GrapheneOS [spawns](https://en.wikipedia.org/wiki/Spawn_(computing)) fresh processes as opposed to using the [Zygote model](https://ayusch.com/android-internals-the-android-os-boot-process) used by AOSP and CalyxOS. The Zygote model weakens [Address Space Layout Randomization](https://en.wikipedia.org/wiki/Address_space_layout_randomization) (ASLR) and is considered [less secure](https://wenke.gtisc.gatech.edu/papers/morula.pdf). Creating [fresh processes](https://grapheneos.org/usage#exec-spawning) is safer but will have some performance penalty when launching a new application. These penalties are not really noticeable unless you have an [old device](https://support.google.com/nexus/answer/4457705) with slow storage such as the Pixel 3a/3a XL as it has [eMMC](https://en.wikipedia.org/wiki/MultiMediaCard#eMMC). **Please note that these are just a few examples and are not an extensive list of GrapheneOS's hardening**. For a more complete list, please read GrapheneOS' [official documentation](https://grapheneos.org/features). diff --git a/assets/files/meta/browserconfig.xml b/docs/assets/files/meta/browserconfig.xml similarity index 100% rename from assets/files/meta/browserconfig.xml rename to docs/assets/files/meta/browserconfig.xml diff --git a/assets/files/meta/site.webmanifest b/docs/assets/files/meta/site.webmanifest similarity index 100% rename from assets/files/meta/site.webmanifest rename to docs/assets/files/meta/site.webmanifest diff --git a/assets/fonts/Bagnard.otf b/docs/assets/fonts/bagnard/Bagnard.otf similarity index 100% rename from assets/fonts/Bagnard.otf rename to docs/assets/fonts/bagnard/Bagnard.otf diff --git a/assets/fonts/Bagnard.ttf b/docs/assets/fonts/bagnard/Bagnard.ttf similarity index 100% rename from assets/fonts/Bagnard.ttf rename to docs/assets/fonts/bagnard/Bagnard.ttf diff --git a/assets/fonts/Bagnard.woff b/docs/assets/fonts/bagnard/Bagnard.woff similarity index 100% rename from assets/fonts/Bagnard.woff rename to docs/assets/fonts/bagnard/Bagnard.woff diff --git a/docs/assets/fonts/bagnard/LICENSE.txt b/docs/assets/fonts/bagnard/LICENSE.txt new file mode 100644 index 00000000..fd3cc650 --- /dev/null +++ b/docs/assets/fonts/bagnard/LICENSE.txt @@ -0,0 +1,93 @@ +Copyright (c) 2015 Sebastien Sanfilippo (www.love-letters.be) + +This Font Software is licensed under the SIL Open Font License, Version 1.1. +This license is copied below, and is also available with a FAQ at: +http://scripts.sil.org/OFL + + +----------------------------------------------------------- +SIL OPEN FONT LICENSE Version 1.1 - 26 February 2007 +----------------------------------------------------------- + +PREAMBLE +The goals of the Open Font License (OFL) are to stimulate worldwide +development of collaborative font projects, to support the font creation +efforts of academic and linguistic communities, and to provide a free and +open framework in which fonts may be shared and improved in partnership +with others. + +The OFL allows the licensed fonts to be used, studied, modified and +redistributed freely as long as they are not sold by themselves. The +fonts, including any derivative works, can be bundled, embedded, +redistributed and/or sold with any software provided that any reserved +names are not used by derivative works. The fonts and derivatives, +however, cannot be released under any other type of license. The +requirement for fonts to remain under this license does not apply +to any document created using the fonts or their derivatives. + +DEFINITIONS +"Font Software" refers to the set of files released by the Copyright +Holder(s) under this license and clearly marked as such. This may +include source files, build scripts and documentation. + +"Reserved Font Name" refers to any names specified as such after the +copyright statement(s). + +"Original Version" refers to the collection of Font Software components as +distributed by the Copyright Holder(s). + +"Modified Version" refers to any derivative made by adding to, deleting, +or substituting -- in part or in whole -- any of the components of the +Original Version, by changing formats or by porting the Font Software to a +new environment. + +"Author" refers to any designer, engineer, programmer, technical +writer or other person who contributed to the Font Software. + +PERMISSION & CONDITIONS +Permission is hereby granted, free of charge, to any person obtaining +a copy of the Font Software, to use, study, copy, merge, embed, modify, +redistribute, and sell modified and unmodified copies of the Font +Software, subject to the following conditions: + +1) Neither the Font Software nor any of its individual components, +in Original or Modified Versions, may be sold by itself. + +2) Original or Modified Versions of the Font Software may be bundled, +redistributed and/or sold with any software, provided that each copy +contains the above copyright notice and this license. These can be +included either as stand-alone text files, human-readable headers or +in the appropriate machine-readable metadata fields within text or +binary files as long as those fields can be easily viewed by the user. + +3) No Modified Version of the Font Software may use the Reserved Font +Name(s) unless explicit written permission is granted by the corresponding +Copyright Holder. This restriction only applies to the primary font name as +presented to the users. + +4) The name(s) of the Copyright Holder(s) or the Author(s) of the Font +Software shall not be used to promote, endorse or advertise any +Modified Version, except to acknowledge the contribution(s) of the +Copyright Holder(s) and the Author(s) or with their explicit written +permission. + +5) The Font Software, modified or unmodified, in part or in whole, +must be distributed entirely under this license, and must not be +distributed under any other license. The requirement for fonts to +remain under this license does not apply to any document created +using the Font Software. + +TERMINATION +This license becomes null and void if any of the above conditions are +not met. + +DISCLAIMER +THE FONT SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT +OF COPYRIGHT, PATENT, TRADEMARK, OR OTHER RIGHT. IN NO EVENT SHALL THE +COPYRIGHT HOLDER BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, +INCLUDING ANY GENERAL, SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL +DAMAGES, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING +FROM, OUT OF THE USE OR INABILITY TO USE THE FONT SOFTWARE OR FROM +OTHER DEALINGS IN THE FONT SOFTWARE. diff --git a/assets/img/android/android.svg b/docs/assets/img/android/android.svg similarity index 100% rename from assets/img/android/android.svg rename to docs/assets/img/android/android.svg diff --git a/assets/img/android/auditor-dark.svg b/docs/assets/img/android/auditor-dark.svg similarity index 100% rename from assets/img/android/auditor-dark.svg rename to docs/assets/img/android/auditor-dark.svg diff --git a/assets/img/android/auditor.svg b/docs/assets/img/android/auditor.svg similarity index 100% rename from assets/img/android/auditor.svg rename to docs/assets/img/android/auditor.svg diff --git a/assets/img/android/calyxos.svg b/docs/assets/img/android/calyxos.svg similarity index 100% rename from assets/img/android/calyxos.svg rename to docs/assets/img/android/calyxos.svg diff --git a/assets/img/android/divestos.svg b/docs/assets/img/android/divestos.svg similarity index 100% rename from assets/img/android/divestos.svg rename to docs/assets/img/android/divestos.svg diff --git a/assets/img/android/droid-ify.png b/docs/assets/img/android/droid-ify.png similarity index 100% rename from assets/img/android/droid-ify.png rename to docs/assets/img/android/droid-ify.png diff --git a/assets/img/android/grapheneos-dark.svg b/docs/assets/img/android/grapheneos-dark.svg similarity index 100% rename from assets/img/android/grapheneos-dark.svg rename to docs/assets/img/android/grapheneos-dark.svg diff --git a/assets/img/android/grapheneos.svg b/docs/assets/img/android/grapheneos.svg similarity index 100% rename from assets/img/android/grapheneos.svg rename to docs/assets/img/android/grapheneos.svg diff --git a/assets/img/android/orbot.svg b/docs/assets/img/android/orbot.svg similarity index 100% rename from assets/img/android/orbot.svg rename to docs/assets/img/android/orbot.svg diff --git a/assets/img/android/privacyblur.svg b/docs/assets/img/android/privacyblur.svg similarity index 100% rename from assets/img/android/privacyblur.svg rename to docs/assets/img/android/privacyblur.svg diff --git a/assets/img/android/rethinkdns-dark.svg b/docs/assets/img/android/rethinkdns-dark.svg similarity index 100% rename from assets/img/android/rethinkdns-dark.svg rename to docs/assets/img/android/rethinkdns-dark.svg diff --git a/assets/img/android/rethinkdns.svg b/docs/assets/img/android/rethinkdns.svg similarity index 100% rename from assets/img/android/rethinkdns.svg rename to docs/assets/img/android/rethinkdns.svg diff --git a/assets/img/android/secure_camera-dark.svg b/docs/assets/img/android/secure_camera-dark.svg similarity index 100% rename from assets/img/android/secure_camera-dark.svg rename to docs/assets/img/android/secure_camera-dark.svg diff --git a/assets/img/android/secure_camera.svg b/docs/assets/img/android/secure_camera.svg similarity index 100% rename from assets/img/android/secure_camera.svg rename to docs/assets/img/android/secure_camera.svg diff --git a/assets/img/android/secure_pdf_viewer-dark.svg b/docs/assets/img/android/secure_pdf_viewer-dark.svg similarity index 100% rename from assets/img/android/secure_pdf_viewer-dark.svg rename to docs/assets/img/android/secure_pdf_viewer-dark.svg diff --git a/assets/img/android/secure_pdf_viewer.svg b/docs/assets/img/android/secure_pdf_viewer.svg similarity index 100% rename from assets/img/android/secure_pdf_viewer.svg rename to docs/assets/img/android/secure_pdf_viewer.svg diff --git a/assets/img/android/shelter.svg b/docs/assets/img/android/shelter.svg similarity index 100% rename from assets/img/android/shelter.svg rename to docs/assets/img/android/shelter.svg diff --git a/assets/img/blog/firefox-privacy-1.png b/docs/assets/img/blog/firefox-privacy-1.png similarity index 100% rename from assets/img/blog/firefox-privacy-1.png rename to docs/assets/img/blog/firefox-privacy-1.png diff --git a/assets/img/blog/firefox-privacy-2.png b/docs/assets/img/blog/firefox-privacy-2.png similarity index 100% rename from assets/img/blog/firefox-privacy-2.png rename to docs/assets/img/blog/firefox-privacy-2.png diff --git a/assets/img/blog/firefox-privacy-2021.png b/docs/assets/img/blog/firefox-privacy-2021.png similarity index 100% rename from assets/img/blog/firefox-privacy-2021.png rename to docs/assets/img/blog/firefox-privacy-2021.png diff --git a/assets/img/blog/firefox-privacy-3.png b/docs/assets/img/blog/firefox-privacy-3.png similarity index 100% rename from assets/img/blog/firefox-privacy-3.png rename to docs/assets/img/blog/firefox-privacy-3.png diff --git a/assets/img/blog/firefox-privacy-4.png b/docs/assets/img/blog/firefox-privacy-4.png similarity index 100% rename from assets/img/blog/firefox-privacy-4.png rename to docs/assets/img/blog/firefox-privacy-4.png diff --git a/assets/img/blog/firefox-privacy-5.png b/docs/assets/img/blog/firefox-privacy-5.png similarity index 100% rename from assets/img/blog/firefox-privacy-5.png rename to docs/assets/img/blog/firefox-privacy-5.png diff --git a/assets/img/blog/firefox-privacy-6.png b/docs/assets/img/blog/firefox-privacy-6.png similarity index 100% rename from assets/img/blog/firefox-privacy-6.png rename to docs/assets/img/blog/firefox-privacy-6.png diff --git a/assets/img/blog/firefox-privacy-cover.jpg b/docs/assets/img/blog/firefox-privacy-cover.jpg similarity index 100% rename from assets/img/blog/firefox-privacy-cover.jpg rename to docs/assets/img/blog/firefox-privacy-cover.jpg diff --git a/assets/img/blog/shadowsocks-outline-1.png b/docs/assets/img/blog/shadowsocks-outline-1.png similarity index 100% rename from assets/img/blog/shadowsocks-outline-1.png rename to docs/assets/img/blog/shadowsocks-outline-1.png diff --git a/assets/img/blog/shadowsocks-outline-2.png b/docs/assets/img/blog/shadowsocks-outline-2.png similarity index 100% rename from assets/img/blog/shadowsocks-outline-2.png rename to docs/assets/img/blog/shadowsocks-outline-2.png diff --git a/assets/img/blog/understanding-vpns-cover.jpg b/docs/assets/img/blog/understanding-vpns-cover.jpg similarity index 100% rename from assets/img/blog/understanding-vpns-cover.jpg rename to docs/assets/img/blog/understanding-vpns-cover.jpg diff --git a/assets/img/blog/virtual-insanity.jpg b/docs/assets/img/blog/virtual-insanity.jpg similarity index 100% rename from assets/img/blog/virtual-insanity.jpg rename to docs/assets/img/blog/virtual-insanity.jpg diff --git a/assets/img/browsers/adguard.svg b/docs/assets/img/browsers/adguard.svg similarity index 100% rename from assets/img/browsers/adguard.svg rename to docs/assets/img/browsers/adguard.svg diff --git a/assets/img/browsers/bromite.svg b/docs/assets/img/browsers/bromite.svg similarity index 100% rename from assets/img/browsers/bromite.svg rename to docs/assets/img/browsers/bromite.svg diff --git a/assets/img/browsers/firefox-ios.svg b/docs/assets/img/browsers/firefox-ios.svg similarity index 100% rename from assets/img/browsers/firefox-ios.svg rename to docs/assets/img/browsers/firefox-ios.svg diff --git a/assets/img/browsers/firefox.svg b/docs/assets/img/browsers/firefox.svg similarity index 100% rename from assets/img/browsers/firefox.svg rename to docs/assets/img/browsers/firefox.svg diff --git a/assets/img/browsers/firefox_focus.svg b/docs/assets/img/browsers/firefox_focus.svg similarity index 100% rename from assets/img/browsers/firefox_focus.svg rename to docs/assets/img/browsers/firefox_focus.svg diff --git a/assets/img/browsers/ios-trash-dark.svg b/docs/assets/img/browsers/ios-trash-dark.svg similarity index 100% rename from assets/img/browsers/ios-trash-dark.svg rename to docs/assets/img/browsers/ios-trash-dark.svg diff --git a/assets/img/browsers/ios-trash.svg b/docs/assets/img/browsers/ios-trash.svg similarity index 100% rename from assets/img/browsers/ios-trash.svg rename to docs/assets/img/browsers/ios-trash.svg diff --git a/assets/img/browsers/safari.svg b/docs/assets/img/browsers/safari.svg similarity index 100% rename from assets/img/browsers/safari.svg rename to docs/assets/img/browsers/safari.svg diff --git a/assets/img/browsers/terms_of_service_didnt_read.svg b/docs/assets/img/browsers/terms_of_service_didnt_read.svg similarity index 100% rename from assets/img/browsers/terms_of_service_didnt_read.svg rename to docs/assets/img/browsers/terms_of_service_didnt_read.svg diff --git a/assets/img/browsers/tor.svg b/docs/assets/img/browsers/tor.svg similarity index 100% rename from assets/img/browsers/tor.svg rename to docs/assets/img/browsers/tor.svg diff --git a/assets/img/browsers/ublock_origin.svg b/docs/assets/img/browsers/ublock_origin.svg similarity index 100% rename from assets/img/browsers/ublock_origin.svg rename to docs/assets/img/browsers/ublock_origin.svg diff --git a/assets/img/legacy_svg/3rd-party/etesync.svg b/docs/assets/img/calendar-contacts/etesync.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/etesync.svg rename to docs/assets/img/calendar-contacts/etesync.svg diff --git a/assets/img/cloud/nextcloud.svg b/docs/assets/img/calendar-contacts/nextcloud.svg similarity index 100% rename from assets/img/cloud/nextcloud.svg rename to docs/assets/img/calendar-contacts/nextcloud.svg diff --git a/docs/assets/img/calendar-contacts/proton-calendar.jpg b/docs/assets/img/calendar-contacts/proton-calendar.jpg new file mode 100644 index 00000000..2a2a2999 Binary files /dev/null and b/docs/assets/img/calendar-contacts/proton-calendar.jpg differ diff --git a/docs/assets/img/calendar-contacts/tutanota-dark.svg b/docs/assets/img/calendar-contacts/tutanota-dark.svg new file mode 100644 index 00000000..0efdaf8b --- /dev/null +++ b/docs/assets/img/calendar-contacts/tutanota-dark.svg @@ -0,0 +1,2 @@ + + diff --git a/docs/assets/img/calendar-contacts/tutanota.svg b/docs/assets/img/calendar-contacts/tutanota.svg new file mode 100644 index 00000000..45d306c8 --- /dev/null +++ b/docs/assets/img/calendar-contacts/tutanota.svg @@ -0,0 +1,2 @@ + + diff --git a/docs/assets/img/cloud/cryptee-dark.svg b/docs/assets/img/cloud/cryptee-dark.svg new file mode 100644 index 00000000..c04f0efa --- /dev/null +++ b/docs/assets/img/cloud/cryptee-dark.svg @@ -0,0 +1,2 @@ + + diff --git a/docs/assets/img/cloud/cryptee.svg b/docs/assets/img/cloud/cryptee.svg new file mode 100644 index 00000000..ba0a5720 --- /dev/null +++ b/docs/assets/img/cloud/cryptee.svg @@ -0,0 +1,2 @@ + + diff --git a/assets/img/legacy_svg/3rd-party/nextcloud.svg b/docs/assets/img/cloud/nextcloud.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/nextcloud.svg rename to docs/assets/img/cloud/nextcloud.svg diff --git a/assets/img/cloud/protondrive.svg b/docs/assets/img/cloud/protondrive.svg similarity index 100% rename from assets/img/cloud/protondrive.svg rename to docs/assets/img/cloud/protondrive.svg diff --git a/assets/img/cloud/tahoe-lafs-dark.svg b/docs/assets/img/cloud/tahoe-lafs-dark.svg similarity index 100% rename from assets/img/cloud/tahoe-lafs-dark.svg rename to docs/assets/img/cloud/tahoe-lafs-dark.svg diff --git a/assets/img/cloud/tahoe-lafs.svg b/docs/assets/img/cloud/tahoe-lafs.svg similarity index 100% rename from assets/img/cloud/tahoe-lafs.svg rename to docs/assets/img/cloud/tahoe-lafs.svg diff --git a/assets/img/dns/dns-dark.svg b/docs/assets/img/dns/dns-dark.svg similarity index 100% rename from assets/img/dns/dns-dark.svg rename to docs/assets/img/dns/dns-dark.svg diff --git a/assets/img/dns/dns.svg b/docs/assets/img/dns/dns.svg similarity index 100% rename from assets/img/dns/dns.svg rename to docs/assets/img/dns/dns.svg diff --git a/assets/img/dns/dnscrypt-proxy.svg b/docs/assets/img/dns/dnscrypt-proxy.svg similarity index 100% rename from assets/img/dns/dnscrypt-proxy.svg rename to docs/assets/img/dns/dnscrypt-proxy.svg diff --git a/assets/img/legacy_svg/3rd-party/canarymail.svg b/docs/assets/img/email-clients/canarymail.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/canarymail.svg rename to docs/assets/img/email-clients/canarymail.svg diff --git a/docs/assets/img/email-clients/evolution.svg b/docs/assets/img/email-clients/evolution.svg new file mode 100644 index 00000000..e24e806a --- /dev/null +++ b/docs/assets/img/email-clients/evolution.svg @@ -0,0 +1,2 @@ + + diff --git a/assets/img/legacy_svg/3rd-party/fairemail.svg b/docs/assets/img/email-clients/fairemail.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/fairemail.svg rename to docs/assets/img/email-clients/fairemail.svg diff --git a/assets/img/legacy_svg/3rd-party/k9mail.svg b/docs/assets/img/email-clients/k9mail.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/k9mail.svg rename to docs/assets/img/email-clients/k9mail.svg diff --git a/docs/assets/img/email-clients/kontact.svg b/docs/assets/img/email-clients/kontact.svg new file mode 100644 index 00000000..e9e5fdce --- /dev/null +++ b/docs/assets/img/email-clients/kontact.svg @@ -0,0 +1,2 @@ + + diff --git a/assets/img/legacy_svg/3rd-party/mailvelope.svg b/docs/assets/img/email-clients/mailvelope.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/mailvelope.svg rename to docs/assets/img/email-clients/mailvelope.svg diff --git a/docs/assets/img/email-clients/mutt.svg b/docs/assets/img/email-clients/mutt.svg new file mode 100644 index 00000000..ddb0fc9b --- /dev/null +++ b/docs/assets/img/email-clients/mutt.svg @@ -0,0 +1,2 @@ + + diff --git a/assets/img/legacy_svg/3rd-party/thunderbird.svg b/docs/assets/img/email-clients/thunderbird.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/thunderbird.svg rename to docs/assets/img/email-clients/thunderbird.svg diff --git a/assets/img/legacy_svg/3rd-party/anonaddy-dark.svg b/docs/assets/img/email/anonaddy-dark.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/anonaddy-dark.svg rename to docs/assets/img/email/anonaddy-dark.svg diff --git a/assets/img/legacy_svg/3rd-party/anonaddy.svg b/docs/assets/img/email/anonaddy.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/anonaddy.svg rename to docs/assets/img/email/anonaddy.svg diff --git a/assets/img/legacy_svg/3rd-party/ctemplar-dark.svg b/docs/assets/img/email/ctemplar-dark.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/ctemplar-dark.svg rename to docs/assets/img/email/ctemplar-dark.svg diff --git a/assets/img/legacy_svg/3rd-party/ctemplar.svg b/docs/assets/img/email/ctemplar.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/ctemplar.svg rename to docs/assets/img/email/ctemplar.svg diff --git a/assets/img/legacy_svg/3rd-party/disroot-dark.svg b/docs/assets/img/email/disroot-dark.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/disroot-dark.svg rename to docs/assets/img/email/disroot-dark.svg diff --git a/assets/img/legacy_svg/3rd-party/disroot.svg b/docs/assets/img/email/disroot.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/disroot.svg rename to docs/assets/img/email/disroot.svg diff --git a/assets/img/legacy_svg/3rd-party/mail-in-a-box.svg b/docs/assets/img/email/mail-in-a-box.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/mail-in-a-box.svg rename to docs/assets/img/email/mail-in-a-box.svg diff --git a/assets/img/legacy_svg/3rd-party/mailboxorg.svg b/docs/assets/img/email/mailboxorg.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/mailboxorg.svg rename to docs/assets/img/email/mailboxorg.svg diff --git a/assets/img/legacy_svg/3rd-party/mailcow.svg b/docs/assets/img/email/mailcow.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/mailcow.svg rename to docs/assets/img/email/mailcow.svg diff --git a/assets/img/legacy_svg/3rd-party/protonmail.svg b/docs/assets/img/email/protonmail.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/protonmail.svg rename to docs/assets/img/email/protonmail.svg diff --git a/assets/img/legacy_svg/3rd-party/simplelogin.svg b/docs/assets/img/email/simplelogin.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/simplelogin.svg rename to docs/assets/img/email/simplelogin.svg diff --git a/assets/img/legacy_svg/3rd-party/startmail-dark.svg b/docs/assets/img/email/startmail-dark.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/startmail-dark.svg rename to docs/assets/img/email/startmail-dark.svg diff --git a/assets/img/legacy_svg/3rd-party/startmail.svg b/docs/assets/img/email/startmail.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/startmail.svg rename to docs/assets/img/email/startmail.svg diff --git a/assets/img/legacy_svg/3rd-party/tutanota-dark.svg b/docs/assets/img/email/tutanota-dark.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/tutanota-dark.svg rename to docs/assets/img/email/tutanota-dark.svg diff --git a/assets/img/legacy_svg/3rd-party/tutanota.svg b/docs/assets/img/email/tutanota.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/tutanota.svg rename to docs/assets/img/email/tutanota.svg diff --git a/docs/assets/img/encryption-software/bitlocker.png b/docs/assets/img/encryption-software/bitlocker.png new file mode 100644 index 00000000..dcc8f474 Binary files /dev/null and b/docs/assets/img/encryption-software/bitlocker.png differ diff --git a/docs/assets/img/encryption-software/cryptomator.svg b/docs/assets/img/encryption-software/cryptomator.svg new file mode 100644 index 00000000..f0bd11f5 --- /dev/null +++ b/docs/assets/img/encryption-software/cryptomator.svg @@ -0,0 +1,2 @@ + + diff --git a/docs/assets/img/encryption-software/filevault.png b/docs/assets/img/encryption-software/filevault.png new file mode 100644 index 00000000..d306ba0b Binary files /dev/null and b/docs/assets/img/encryption-software/filevault.png differ diff --git a/assets/img/legacy_svg/3rd-party/gnupg.svg b/docs/assets/img/encryption-software/gnupg.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/gnupg.svg rename to docs/assets/img/encryption-software/gnupg.svg diff --git a/docs/assets/img/encryption-software/hat-sh-dark.png b/docs/assets/img/encryption-software/hat-sh-dark.png new file mode 100644 index 00000000..0c5931e9 Binary files /dev/null and b/docs/assets/img/encryption-software/hat-sh-dark.png differ diff --git a/docs/assets/img/encryption-software/hat-sh.png b/docs/assets/img/encryption-software/hat-sh.png new file mode 100644 index 00000000..f514b780 Binary files /dev/null and b/docs/assets/img/encryption-software/hat-sh.png differ diff --git a/docs/assets/img/encryption-software/kryptor.png b/docs/assets/img/encryption-software/kryptor.png new file mode 100644 index 00000000..08669e02 Binary files /dev/null and b/docs/assets/img/encryption-software/kryptor.png differ diff --git a/docs/assets/img/encryption-software/luks.png b/docs/assets/img/encryption-software/luks.png new file mode 100644 index 00000000..56625494 Binary files /dev/null and b/docs/assets/img/encryption-software/luks.png differ diff --git a/docs/assets/img/encryption-software/picocrypt.svg b/docs/assets/img/encryption-software/picocrypt.svg new file mode 100644 index 00000000..53c41f50 --- /dev/null +++ b/docs/assets/img/encryption-software/picocrypt.svg @@ -0,0 +1,2 @@ + + diff --git a/docs/assets/img/encryption-software/tomb.png b/docs/assets/img/encryption-software/tomb.png new file mode 100644 index 00000000..a7de2dd8 Binary files /dev/null and b/docs/assets/img/encryption-software/tomb.png differ diff --git a/assets/img/legacy_svg/3rd-party/veracrypt-dark.svg b/docs/assets/img/encryption-software/veracrypt-dark.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/veracrypt-dark.svg rename to docs/assets/img/encryption-software/veracrypt-dark.svg diff --git a/assets/img/legacy_svg/3rd-party/veracrypt.svg b/docs/assets/img/encryption-software/veracrypt.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/veracrypt.svg rename to docs/assets/img/encryption-software/veracrypt.svg diff --git a/docs/assets/img/file-sharing-sync/croc.jpg b/docs/assets/img/file-sharing-sync/croc.jpg new file mode 100644 index 00000000..cc60afd6 Binary files /dev/null and b/docs/assets/img/file-sharing-sync/croc.jpg differ diff --git a/docs/assets/img/file-sharing-sync/freedombox.svg b/docs/assets/img/file-sharing-sync/freedombox.svg new file mode 100644 index 00000000..99795080 --- /dev/null +++ b/docs/assets/img/file-sharing-sync/freedombox.svg @@ -0,0 +1,2 @@ + + diff --git a/docs/assets/img/file-sharing-sync/gitannex.svg b/docs/assets/img/file-sharing-sync/gitannex.svg new file mode 100644 index 00000000..a4cde380 --- /dev/null +++ b/docs/assets/img/file-sharing-sync/gitannex.svg @@ -0,0 +1,2 @@ + + diff --git a/assets/img/legacy_png/3rd-party/magic_wormhole.png b/docs/assets/img/file-sharing-sync/magic_wormhole.png similarity index 100% rename from assets/img/legacy_png/3rd-party/magic_wormhole.png rename to docs/assets/img/file-sharing-sync/magic_wormhole.png diff --git a/assets/img/legacy_svg/3rd-party/onionshare.svg b/docs/assets/img/file-sharing-sync/onionshare.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/onionshare.svg rename to docs/assets/img/file-sharing-sync/onionshare.svg diff --git a/assets/img/legacy_svg/3rd-party/syncthing.svg b/docs/assets/img/file-sharing-sync/syncthing.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/syncthing.svg rename to docs/assets/img/file-sharing-sync/syncthing.svg diff --git a/assets/img/flags/ad.svg b/docs/assets/img/flags/ad.svg similarity index 100% rename from assets/img/flags/ad.svg rename to docs/assets/img/flags/ad.svg diff --git a/assets/img/flags/ae.svg b/docs/assets/img/flags/ae.svg similarity index 100% rename from assets/img/flags/ae.svg rename to docs/assets/img/flags/ae.svg diff --git a/assets/img/flags/af.svg b/docs/assets/img/flags/af.svg similarity index 100% rename from assets/img/flags/af.svg rename to docs/assets/img/flags/af.svg diff --git a/assets/img/flags/ag.svg b/docs/assets/img/flags/ag.svg similarity index 100% rename from assets/img/flags/ag.svg rename to docs/assets/img/flags/ag.svg diff --git a/assets/img/flags/ai.svg b/docs/assets/img/flags/ai.svg similarity index 100% rename from assets/img/flags/ai.svg rename to docs/assets/img/flags/ai.svg diff --git a/assets/img/flags/al.svg b/docs/assets/img/flags/al.svg similarity index 100% rename from assets/img/flags/al.svg rename to docs/assets/img/flags/al.svg diff --git a/assets/img/flags/am.svg b/docs/assets/img/flags/am.svg similarity index 100% rename from assets/img/flags/am.svg rename to docs/assets/img/flags/am.svg diff --git a/assets/img/flags/ao.svg b/docs/assets/img/flags/ao.svg similarity index 100% rename from assets/img/flags/ao.svg rename to docs/assets/img/flags/ao.svg diff --git a/assets/img/flags/aq.svg b/docs/assets/img/flags/aq.svg similarity index 100% rename from assets/img/flags/aq.svg rename to docs/assets/img/flags/aq.svg diff --git a/assets/img/flags/ar.svg b/docs/assets/img/flags/ar.svg similarity index 100% rename from assets/img/flags/ar.svg rename to docs/assets/img/flags/ar.svg diff --git a/assets/img/flags/as.svg b/docs/assets/img/flags/as.svg similarity index 100% rename from assets/img/flags/as.svg rename to docs/assets/img/flags/as.svg diff --git a/assets/img/flags/at.svg b/docs/assets/img/flags/at.svg similarity index 100% rename from assets/img/flags/at.svg rename to docs/assets/img/flags/at.svg diff --git a/assets/img/flags/au.svg b/docs/assets/img/flags/au.svg similarity index 100% rename from assets/img/flags/au.svg rename to docs/assets/img/flags/au.svg diff --git a/assets/img/flags/aw.svg b/docs/assets/img/flags/aw.svg similarity index 100% rename from assets/img/flags/aw.svg rename to docs/assets/img/flags/aw.svg diff --git a/assets/img/flags/ax.svg b/docs/assets/img/flags/ax.svg similarity index 100% rename from assets/img/flags/ax.svg rename to docs/assets/img/flags/ax.svg diff --git a/assets/img/flags/az.svg b/docs/assets/img/flags/az.svg similarity index 100% rename from assets/img/flags/az.svg rename to docs/assets/img/flags/az.svg diff --git a/assets/img/flags/ba.svg b/docs/assets/img/flags/ba.svg similarity index 100% rename from assets/img/flags/ba.svg rename to docs/assets/img/flags/ba.svg diff --git a/assets/img/flags/bb.svg b/docs/assets/img/flags/bb.svg similarity index 100% rename from assets/img/flags/bb.svg rename to docs/assets/img/flags/bb.svg diff --git a/assets/img/flags/bd.svg b/docs/assets/img/flags/bd.svg similarity index 100% rename from assets/img/flags/bd.svg rename to docs/assets/img/flags/bd.svg diff --git a/assets/img/flags/be.svg b/docs/assets/img/flags/be.svg similarity index 100% rename from assets/img/flags/be.svg rename to docs/assets/img/flags/be.svg diff --git a/assets/img/flags/bf.svg b/docs/assets/img/flags/bf.svg similarity index 100% rename from assets/img/flags/bf.svg rename to docs/assets/img/flags/bf.svg diff --git a/assets/img/flags/bg.svg b/docs/assets/img/flags/bg.svg similarity index 100% rename from assets/img/flags/bg.svg rename to docs/assets/img/flags/bg.svg diff --git a/assets/img/flags/bh.svg b/docs/assets/img/flags/bh.svg similarity index 100% rename from assets/img/flags/bh.svg rename to docs/assets/img/flags/bh.svg diff --git a/assets/img/flags/bi.svg b/docs/assets/img/flags/bi.svg similarity index 100% rename from assets/img/flags/bi.svg rename to docs/assets/img/flags/bi.svg diff --git a/assets/img/flags/bj.svg b/docs/assets/img/flags/bj.svg similarity index 100% rename from assets/img/flags/bj.svg rename to docs/assets/img/flags/bj.svg diff --git a/assets/img/flags/bl.svg b/docs/assets/img/flags/bl.svg similarity index 100% rename from assets/img/flags/bl.svg rename to docs/assets/img/flags/bl.svg diff --git a/assets/img/flags/bm.svg b/docs/assets/img/flags/bm.svg similarity index 100% rename from assets/img/flags/bm.svg rename to docs/assets/img/flags/bm.svg diff --git a/assets/img/flags/bn.svg b/docs/assets/img/flags/bn.svg similarity index 100% rename from assets/img/flags/bn.svg rename to docs/assets/img/flags/bn.svg diff --git a/assets/img/flags/bo.svg b/docs/assets/img/flags/bo.svg similarity index 100% rename from assets/img/flags/bo.svg rename to docs/assets/img/flags/bo.svg diff --git a/assets/img/flags/bq.svg b/docs/assets/img/flags/bq.svg similarity index 100% rename from assets/img/flags/bq.svg rename to docs/assets/img/flags/bq.svg diff --git a/assets/img/flags/br.svg b/docs/assets/img/flags/br.svg similarity index 100% rename from assets/img/flags/br.svg rename to docs/assets/img/flags/br.svg diff --git a/assets/img/flags/bs.svg b/docs/assets/img/flags/bs.svg similarity index 100% rename from assets/img/flags/bs.svg rename to docs/assets/img/flags/bs.svg diff --git a/assets/img/flags/bt.svg b/docs/assets/img/flags/bt.svg similarity index 100% rename from assets/img/flags/bt.svg rename to docs/assets/img/flags/bt.svg diff --git a/assets/img/flags/bv.svg b/docs/assets/img/flags/bv.svg similarity index 100% rename from assets/img/flags/bv.svg rename to docs/assets/img/flags/bv.svg diff --git a/assets/img/flags/bw.svg b/docs/assets/img/flags/bw.svg similarity index 100% rename from assets/img/flags/bw.svg rename to docs/assets/img/flags/bw.svg diff --git a/assets/img/flags/by.svg b/docs/assets/img/flags/by.svg similarity index 100% rename from assets/img/flags/by.svg rename to docs/assets/img/flags/by.svg diff --git a/assets/img/flags/bz.svg b/docs/assets/img/flags/bz.svg similarity index 100% rename from assets/img/flags/bz.svg rename to docs/assets/img/flags/bz.svg diff --git a/assets/img/flags/ca.svg b/docs/assets/img/flags/ca.svg similarity index 100% rename from assets/img/flags/ca.svg rename to docs/assets/img/flags/ca.svg diff --git a/assets/img/flags/cc.svg b/docs/assets/img/flags/cc.svg similarity index 100% rename from assets/img/flags/cc.svg rename to docs/assets/img/flags/cc.svg diff --git a/assets/img/flags/cd.svg b/docs/assets/img/flags/cd.svg similarity index 100% rename from assets/img/flags/cd.svg rename to docs/assets/img/flags/cd.svg diff --git a/assets/img/flags/cf.svg b/docs/assets/img/flags/cf.svg similarity index 100% rename from assets/img/flags/cf.svg rename to docs/assets/img/flags/cf.svg diff --git a/assets/img/flags/cg.svg b/docs/assets/img/flags/cg.svg similarity index 100% rename from assets/img/flags/cg.svg rename to docs/assets/img/flags/cg.svg diff --git a/assets/img/flags/ch.svg b/docs/assets/img/flags/ch.svg similarity index 100% rename from assets/img/flags/ch.svg rename to docs/assets/img/flags/ch.svg diff --git a/assets/img/flags/ci.svg b/docs/assets/img/flags/ci.svg similarity index 100% rename from assets/img/flags/ci.svg rename to docs/assets/img/flags/ci.svg diff --git a/assets/img/flags/ck.svg b/docs/assets/img/flags/ck.svg similarity index 100% rename from assets/img/flags/ck.svg rename to docs/assets/img/flags/ck.svg diff --git a/assets/img/flags/cl.svg b/docs/assets/img/flags/cl.svg similarity index 100% rename from assets/img/flags/cl.svg rename to docs/assets/img/flags/cl.svg diff --git a/assets/img/flags/cm.svg b/docs/assets/img/flags/cm.svg similarity index 100% rename from assets/img/flags/cm.svg rename to docs/assets/img/flags/cm.svg diff --git a/assets/img/flags/cn.svg b/docs/assets/img/flags/cn.svg similarity index 100% rename from assets/img/flags/cn.svg rename to docs/assets/img/flags/cn.svg diff --git a/assets/img/flags/co.svg b/docs/assets/img/flags/co.svg similarity index 100% rename from assets/img/flags/co.svg rename to docs/assets/img/flags/co.svg diff --git a/assets/img/flags/cr.svg b/docs/assets/img/flags/cr.svg similarity index 100% rename from assets/img/flags/cr.svg rename to docs/assets/img/flags/cr.svg diff --git a/assets/img/flags/cu.svg b/docs/assets/img/flags/cu.svg similarity index 100% rename from assets/img/flags/cu.svg rename to docs/assets/img/flags/cu.svg diff --git a/assets/img/flags/cv.svg b/docs/assets/img/flags/cv.svg similarity index 100% rename from assets/img/flags/cv.svg rename to docs/assets/img/flags/cv.svg diff --git a/assets/img/flags/cw.svg b/docs/assets/img/flags/cw.svg similarity index 100% rename from assets/img/flags/cw.svg rename to docs/assets/img/flags/cw.svg diff --git a/assets/img/flags/cx.svg b/docs/assets/img/flags/cx.svg similarity index 100% rename from assets/img/flags/cx.svg rename to docs/assets/img/flags/cx.svg diff --git a/assets/img/flags/cy.svg b/docs/assets/img/flags/cy.svg similarity index 100% rename from assets/img/flags/cy.svg rename to docs/assets/img/flags/cy.svg diff --git a/assets/img/flags/cz.svg b/docs/assets/img/flags/cz.svg similarity index 100% rename from assets/img/flags/cz.svg rename to docs/assets/img/flags/cz.svg diff --git a/assets/img/flags/de.svg b/docs/assets/img/flags/de.svg similarity index 100% rename from assets/img/flags/de.svg rename to docs/assets/img/flags/de.svg diff --git a/assets/img/flags/dj.svg b/docs/assets/img/flags/dj.svg similarity index 100% rename from assets/img/flags/dj.svg rename to docs/assets/img/flags/dj.svg diff --git a/assets/img/flags/dk.svg b/docs/assets/img/flags/dk.svg similarity index 100% rename from assets/img/flags/dk.svg rename to docs/assets/img/flags/dk.svg diff --git a/assets/img/flags/dm.svg b/docs/assets/img/flags/dm.svg similarity index 100% rename from assets/img/flags/dm.svg rename to docs/assets/img/flags/dm.svg diff --git a/assets/img/flags/do.svg b/docs/assets/img/flags/do.svg similarity index 100% rename from assets/img/flags/do.svg rename to docs/assets/img/flags/do.svg diff --git a/assets/img/flags/dz.svg b/docs/assets/img/flags/dz.svg similarity index 100% rename from assets/img/flags/dz.svg rename to docs/assets/img/flags/dz.svg diff --git a/assets/img/flags/ec.svg b/docs/assets/img/flags/ec.svg similarity index 100% rename from assets/img/flags/ec.svg rename to docs/assets/img/flags/ec.svg diff --git a/assets/img/flags/ee.svg b/docs/assets/img/flags/ee.svg similarity index 100% rename from assets/img/flags/ee.svg rename to docs/assets/img/flags/ee.svg diff --git a/assets/img/flags/eg.svg b/docs/assets/img/flags/eg.svg similarity index 100% rename from assets/img/flags/eg.svg rename to docs/assets/img/flags/eg.svg diff --git a/assets/img/flags/eh.svg b/docs/assets/img/flags/eh.svg similarity index 100% rename from assets/img/flags/eh.svg rename to docs/assets/img/flags/eh.svg diff --git a/assets/img/flags/er.svg b/docs/assets/img/flags/er.svg similarity index 100% rename from assets/img/flags/er.svg rename to docs/assets/img/flags/er.svg diff --git a/assets/img/flags/es.svg b/docs/assets/img/flags/es.svg similarity index 100% rename from assets/img/flags/es.svg rename to docs/assets/img/flags/es.svg diff --git a/assets/img/flags/et.svg b/docs/assets/img/flags/et.svg similarity index 100% rename from assets/img/flags/et.svg rename to docs/assets/img/flags/et.svg diff --git a/assets/img/flags/eu.svg b/docs/assets/img/flags/eu.svg similarity index 100% rename from assets/img/flags/eu.svg rename to docs/assets/img/flags/eu.svg diff --git a/assets/img/flags/fi.svg b/docs/assets/img/flags/fi.svg similarity index 100% rename from assets/img/flags/fi.svg rename to docs/assets/img/flags/fi.svg diff --git a/assets/img/flags/fj.svg b/docs/assets/img/flags/fj.svg similarity index 100% rename from assets/img/flags/fj.svg rename to docs/assets/img/flags/fj.svg diff --git a/assets/img/flags/fk.svg b/docs/assets/img/flags/fk.svg similarity index 100% rename from assets/img/flags/fk.svg rename to docs/assets/img/flags/fk.svg diff --git a/assets/img/flags/fm.svg b/docs/assets/img/flags/fm.svg similarity index 100% rename from assets/img/flags/fm.svg rename to docs/assets/img/flags/fm.svg diff --git a/assets/img/flags/fo.svg b/docs/assets/img/flags/fo.svg similarity index 100% rename from assets/img/flags/fo.svg rename to docs/assets/img/flags/fo.svg diff --git a/assets/img/flags/fr.svg b/docs/assets/img/flags/fr.svg similarity index 100% rename from assets/img/flags/fr.svg rename to docs/assets/img/flags/fr.svg diff --git a/assets/img/flags/ga.svg b/docs/assets/img/flags/ga.svg similarity index 100% rename from assets/img/flags/ga.svg rename to docs/assets/img/flags/ga.svg diff --git a/assets/img/flags/gb-eng.svg b/docs/assets/img/flags/gb-eng.svg similarity index 100% rename from assets/img/flags/gb-eng.svg rename to docs/assets/img/flags/gb-eng.svg diff --git a/assets/img/flags/gb-sct.svg b/docs/assets/img/flags/gb-sct.svg similarity index 100% rename from assets/img/flags/gb-sct.svg rename to docs/assets/img/flags/gb-sct.svg diff --git a/assets/img/flags/gb-wls.svg b/docs/assets/img/flags/gb-wls.svg similarity index 100% rename from assets/img/flags/gb-wls.svg rename to docs/assets/img/flags/gb-wls.svg diff --git a/assets/img/flags/gb.svg b/docs/assets/img/flags/gb.svg similarity index 100% rename from assets/img/flags/gb.svg rename to docs/assets/img/flags/gb.svg diff --git a/assets/img/flags/gd.svg b/docs/assets/img/flags/gd.svg similarity index 100% rename from assets/img/flags/gd.svg rename to docs/assets/img/flags/gd.svg diff --git a/assets/img/flags/ge.svg b/docs/assets/img/flags/ge.svg similarity index 100% rename from assets/img/flags/ge.svg rename to docs/assets/img/flags/ge.svg diff --git a/assets/img/flags/gf.svg b/docs/assets/img/flags/gf.svg similarity index 100% rename from assets/img/flags/gf.svg rename to docs/assets/img/flags/gf.svg diff --git a/assets/img/flags/gg.svg b/docs/assets/img/flags/gg.svg similarity index 100% rename from assets/img/flags/gg.svg rename to docs/assets/img/flags/gg.svg diff --git a/assets/img/flags/gh.svg b/docs/assets/img/flags/gh.svg similarity index 100% rename from assets/img/flags/gh.svg rename to docs/assets/img/flags/gh.svg diff --git a/assets/img/flags/gi.svg b/docs/assets/img/flags/gi.svg similarity index 100% rename from assets/img/flags/gi.svg rename to docs/assets/img/flags/gi.svg diff --git a/assets/img/flags/gl.svg b/docs/assets/img/flags/gl.svg similarity index 100% rename from assets/img/flags/gl.svg rename to docs/assets/img/flags/gl.svg diff --git a/assets/img/flags/gm.svg b/docs/assets/img/flags/gm.svg similarity index 100% rename from assets/img/flags/gm.svg rename to docs/assets/img/flags/gm.svg diff --git a/assets/img/flags/gn.svg b/docs/assets/img/flags/gn.svg similarity index 100% rename from assets/img/flags/gn.svg rename to docs/assets/img/flags/gn.svg diff --git a/assets/img/flags/gp.svg b/docs/assets/img/flags/gp.svg similarity index 100% rename from assets/img/flags/gp.svg rename to docs/assets/img/flags/gp.svg diff --git a/assets/img/flags/gq.svg b/docs/assets/img/flags/gq.svg similarity index 100% rename from assets/img/flags/gq.svg rename to docs/assets/img/flags/gq.svg diff --git a/assets/img/flags/gr.svg b/docs/assets/img/flags/gr.svg similarity index 100% rename from assets/img/flags/gr.svg rename to docs/assets/img/flags/gr.svg diff --git a/assets/img/flags/gs.svg b/docs/assets/img/flags/gs.svg similarity index 100% rename from assets/img/flags/gs.svg rename to docs/assets/img/flags/gs.svg diff --git a/assets/img/flags/gt.svg b/docs/assets/img/flags/gt.svg similarity index 100% rename from assets/img/flags/gt.svg rename to docs/assets/img/flags/gt.svg diff --git a/assets/img/flags/gu.svg b/docs/assets/img/flags/gu.svg similarity index 100% rename from assets/img/flags/gu.svg rename to docs/assets/img/flags/gu.svg diff --git a/assets/img/flags/gw.svg b/docs/assets/img/flags/gw.svg similarity index 100% rename from assets/img/flags/gw.svg rename to docs/assets/img/flags/gw.svg diff --git a/assets/img/flags/gy.svg b/docs/assets/img/flags/gy.svg similarity index 100% rename from assets/img/flags/gy.svg rename to docs/assets/img/flags/gy.svg diff --git a/assets/img/flags/hk.svg b/docs/assets/img/flags/hk.svg similarity index 100% rename from assets/img/flags/hk.svg rename to docs/assets/img/flags/hk.svg diff --git a/assets/img/flags/hm.svg b/docs/assets/img/flags/hm.svg similarity index 100% rename from assets/img/flags/hm.svg rename to docs/assets/img/flags/hm.svg diff --git a/assets/img/flags/hn.svg b/docs/assets/img/flags/hn.svg similarity index 100% rename from assets/img/flags/hn.svg rename to docs/assets/img/flags/hn.svg diff --git a/assets/img/flags/hr.svg b/docs/assets/img/flags/hr.svg similarity index 100% rename from assets/img/flags/hr.svg rename to docs/assets/img/flags/hr.svg diff --git a/assets/img/flags/ht.svg b/docs/assets/img/flags/ht.svg similarity index 100% rename from assets/img/flags/ht.svg rename to docs/assets/img/flags/ht.svg diff --git a/assets/img/flags/hu.svg b/docs/assets/img/flags/hu.svg similarity index 100% rename from assets/img/flags/hu.svg rename to docs/assets/img/flags/hu.svg diff --git a/assets/img/flags/id.svg b/docs/assets/img/flags/id.svg similarity index 100% rename from assets/img/flags/id.svg rename to docs/assets/img/flags/id.svg diff --git a/assets/img/flags/ie.svg b/docs/assets/img/flags/ie.svg similarity index 100% rename from assets/img/flags/ie.svg rename to docs/assets/img/flags/ie.svg diff --git a/assets/img/flags/il.svg b/docs/assets/img/flags/il.svg similarity index 100% rename from assets/img/flags/il.svg rename to docs/assets/img/flags/il.svg diff --git a/assets/img/flags/im.svg b/docs/assets/img/flags/im.svg similarity index 100% rename from assets/img/flags/im.svg rename to docs/assets/img/flags/im.svg diff --git a/assets/img/flags/in.svg b/docs/assets/img/flags/in.svg similarity index 100% rename from assets/img/flags/in.svg rename to docs/assets/img/flags/in.svg diff --git a/assets/img/flags/io.svg b/docs/assets/img/flags/io.svg similarity index 100% rename from assets/img/flags/io.svg rename to docs/assets/img/flags/io.svg diff --git a/assets/img/flags/iq.svg b/docs/assets/img/flags/iq.svg similarity index 100% rename from assets/img/flags/iq.svg rename to docs/assets/img/flags/iq.svg diff --git a/assets/img/flags/ir.svg b/docs/assets/img/flags/ir.svg similarity index 100% rename from assets/img/flags/ir.svg rename to docs/assets/img/flags/ir.svg diff --git a/assets/img/flags/is.svg b/docs/assets/img/flags/is.svg similarity index 100% rename from assets/img/flags/is.svg rename to docs/assets/img/flags/is.svg diff --git a/assets/img/flags/it.svg b/docs/assets/img/flags/it.svg similarity index 100% rename from assets/img/flags/it.svg rename to docs/assets/img/flags/it.svg diff --git a/assets/img/flags/je.svg b/docs/assets/img/flags/je.svg similarity index 100% rename from assets/img/flags/je.svg rename to docs/assets/img/flags/je.svg diff --git a/assets/img/flags/jm.svg b/docs/assets/img/flags/jm.svg similarity index 100% rename from assets/img/flags/jm.svg rename to docs/assets/img/flags/jm.svg diff --git a/assets/img/flags/jo.svg b/docs/assets/img/flags/jo.svg similarity index 100% rename from assets/img/flags/jo.svg rename to docs/assets/img/flags/jo.svg diff --git a/assets/img/flags/jp.svg b/docs/assets/img/flags/jp.svg similarity index 100% rename from assets/img/flags/jp.svg rename to docs/assets/img/flags/jp.svg diff --git a/assets/img/flags/ke.svg b/docs/assets/img/flags/ke.svg similarity index 100% rename from assets/img/flags/ke.svg rename to docs/assets/img/flags/ke.svg diff --git a/assets/img/flags/kg.svg b/docs/assets/img/flags/kg.svg similarity index 100% rename from assets/img/flags/kg.svg rename to docs/assets/img/flags/kg.svg diff --git a/assets/img/flags/kh.svg b/docs/assets/img/flags/kh.svg similarity index 100% rename from assets/img/flags/kh.svg rename to docs/assets/img/flags/kh.svg diff --git a/assets/img/flags/ki.svg b/docs/assets/img/flags/ki.svg similarity index 100% rename from assets/img/flags/ki.svg rename to docs/assets/img/flags/ki.svg diff --git a/assets/img/flags/km.svg b/docs/assets/img/flags/km.svg similarity index 100% rename from assets/img/flags/km.svg rename to docs/assets/img/flags/km.svg diff --git a/assets/img/flags/kn.svg b/docs/assets/img/flags/kn.svg similarity index 100% rename from assets/img/flags/kn.svg rename to docs/assets/img/flags/kn.svg diff --git a/assets/img/flags/kp.svg b/docs/assets/img/flags/kp.svg similarity index 100% rename from assets/img/flags/kp.svg rename to docs/assets/img/flags/kp.svg diff --git a/assets/img/flags/kr.svg b/docs/assets/img/flags/kr.svg similarity index 100% rename from assets/img/flags/kr.svg rename to docs/assets/img/flags/kr.svg diff --git a/assets/img/flags/kw.svg b/docs/assets/img/flags/kw.svg similarity index 100% rename from assets/img/flags/kw.svg rename to docs/assets/img/flags/kw.svg diff --git a/assets/img/flags/ky.svg b/docs/assets/img/flags/ky.svg similarity index 100% rename from assets/img/flags/ky.svg rename to docs/assets/img/flags/ky.svg diff --git a/assets/img/flags/kz.svg b/docs/assets/img/flags/kz.svg similarity index 100% rename from assets/img/flags/kz.svg rename to docs/assets/img/flags/kz.svg diff --git a/assets/img/flags/la.svg b/docs/assets/img/flags/la.svg similarity index 100% rename from assets/img/flags/la.svg rename to docs/assets/img/flags/la.svg diff --git a/assets/img/flags/lb.svg b/docs/assets/img/flags/lb.svg similarity index 100% rename from assets/img/flags/lb.svg rename to docs/assets/img/flags/lb.svg diff --git a/assets/img/flags/lc.svg b/docs/assets/img/flags/lc.svg similarity index 100% rename from assets/img/flags/lc.svg rename to docs/assets/img/flags/lc.svg diff --git a/assets/img/flags/li.svg b/docs/assets/img/flags/li.svg similarity index 100% rename from assets/img/flags/li.svg rename to docs/assets/img/flags/li.svg diff --git a/assets/img/flags/lk.svg b/docs/assets/img/flags/lk.svg similarity index 100% rename from assets/img/flags/lk.svg rename to docs/assets/img/flags/lk.svg diff --git a/assets/img/flags/lr.svg b/docs/assets/img/flags/lr.svg similarity index 100% rename from assets/img/flags/lr.svg rename to docs/assets/img/flags/lr.svg diff --git a/assets/img/flags/ls.svg b/docs/assets/img/flags/ls.svg similarity index 100% rename from assets/img/flags/ls.svg rename to docs/assets/img/flags/ls.svg diff --git a/assets/img/flags/lt.svg b/docs/assets/img/flags/lt.svg similarity index 100% rename from assets/img/flags/lt.svg rename to docs/assets/img/flags/lt.svg diff --git a/assets/img/flags/lu.svg b/docs/assets/img/flags/lu.svg similarity index 100% rename from assets/img/flags/lu.svg rename to docs/assets/img/flags/lu.svg diff --git a/assets/img/flags/lv.svg b/docs/assets/img/flags/lv.svg similarity index 100% rename from assets/img/flags/lv.svg rename to docs/assets/img/flags/lv.svg diff --git a/assets/img/flags/ly.svg b/docs/assets/img/flags/ly.svg similarity index 100% rename from assets/img/flags/ly.svg rename to docs/assets/img/flags/ly.svg diff --git a/assets/img/flags/ma.svg b/docs/assets/img/flags/ma.svg similarity index 100% rename from assets/img/flags/ma.svg rename to docs/assets/img/flags/ma.svg diff --git a/assets/img/flags/mc.svg b/docs/assets/img/flags/mc.svg similarity index 100% rename from assets/img/flags/mc.svg rename to docs/assets/img/flags/mc.svg diff --git a/assets/img/flags/md.svg b/docs/assets/img/flags/md.svg similarity index 100% rename from assets/img/flags/md.svg rename to docs/assets/img/flags/md.svg diff --git a/assets/img/flags/me.svg b/docs/assets/img/flags/me.svg similarity index 100% rename from assets/img/flags/me.svg rename to docs/assets/img/flags/me.svg diff --git a/assets/img/flags/mf.svg b/docs/assets/img/flags/mf.svg similarity index 100% rename from assets/img/flags/mf.svg rename to docs/assets/img/flags/mf.svg diff --git a/assets/img/flags/mg.svg b/docs/assets/img/flags/mg.svg similarity index 100% rename from assets/img/flags/mg.svg rename to docs/assets/img/flags/mg.svg diff --git a/assets/img/flags/mh.svg b/docs/assets/img/flags/mh.svg similarity index 100% rename from assets/img/flags/mh.svg rename to docs/assets/img/flags/mh.svg diff --git a/assets/img/flags/mk.svg b/docs/assets/img/flags/mk.svg similarity index 100% rename from assets/img/flags/mk.svg rename to docs/assets/img/flags/mk.svg diff --git a/assets/img/flags/ml.svg b/docs/assets/img/flags/ml.svg similarity index 100% rename from assets/img/flags/ml.svg rename to docs/assets/img/flags/ml.svg diff --git a/assets/img/flags/mm.svg b/docs/assets/img/flags/mm.svg similarity index 100% rename from assets/img/flags/mm.svg rename to docs/assets/img/flags/mm.svg diff --git a/assets/img/flags/mn.svg b/docs/assets/img/flags/mn.svg similarity index 100% rename from assets/img/flags/mn.svg rename to docs/assets/img/flags/mn.svg diff --git a/assets/img/flags/mo.svg b/docs/assets/img/flags/mo.svg similarity index 100% rename from assets/img/flags/mo.svg rename to docs/assets/img/flags/mo.svg diff --git a/assets/img/flags/mp.svg b/docs/assets/img/flags/mp.svg similarity index 100% rename from assets/img/flags/mp.svg rename to docs/assets/img/flags/mp.svg diff --git a/assets/img/flags/mq.svg b/docs/assets/img/flags/mq.svg similarity index 100% rename from assets/img/flags/mq.svg rename to docs/assets/img/flags/mq.svg diff --git a/assets/img/flags/mr.svg b/docs/assets/img/flags/mr.svg similarity index 100% rename from assets/img/flags/mr.svg rename to docs/assets/img/flags/mr.svg diff --git a/assets/img/flags/ms.svg b/docs/assets/img/flags/ms.svg similarity index 100% rename from assets/img/flags/ms.svg rename to docs/assets/img/flags/ms.svg diff --git a/assets/img/flags/mt.svg b/docs/assets/img/flags/mt.svg similarity index 100% rename from assets/img/flags/mt.svg rename to docs/assets/img/flags/mt.svg diff --git a/assets/img/flags/mu.svg b/docs/assets/img/flags/mu.svg similarity index 100% rename from assets/img/flags/mu.svg rename to docs/assets/img/flags/mu.svg diff --git a/assets/img/flags/mv.svg b/docs/assets/img/flags/mv.svg similarity index 100% rename from assets/img/flags/mv.svg rename to docs/assets/img/flags/mv.svg diff --git a/assets/img/flags/mw.svg b/docs/assets/img/flags/mw.svg similarity index 100% rename from assets/img/flags/mw.svg rename to docs/assets/img/flags/mw.svg diff --git a/assets/img/flags/mx.svg b/docs/assets/img/flags/mx.svg similarity index 100% rename from assets/img/flags/mx.svg rename to docs/assets/img/flags/mx.svg diff --git a/assets/img/flags/my.svg b/docs/assets/img/flags/my.svg similarity index 100% rename from assets/img/flags/my.svg rename to docs/assets/img/flags/my.svg diff --git a/assets/img/flags/mz.svg b/docs/assets/img/flags/mz.svg similarity index 100% rename from assets/img/flags/mz.svg rename to docs/assets/img/flags/mz.svg diff --git a/assets/img/flags/na.svg b/docs/assets/img/flags/na.svg similarity index 100% rename from assets/img/flags/na.svg rename to docs/assets/img/flags/na.svg diff --git a/assets/img/flags/nc.svg b/docs/assets/img/flags/nc.svg similarity index 100% rename from assets/img/flags/nc.svg rename to docs/assets/img/flags/nc.svg diff --git a/assets/img/flags/ne.svg b/docs/assets/img/flags/ne.svg similarity index 100% rename from assets/img/flags/ne.svg rename to docs/assets/img/flags/ne.svg diff --git a/assets/img/flags/nf.svg b/docs/assets/img/flags/nf.svg similarity index 100% rename from assets/img/flags/nf.svg rename to docs/assets/img/flags/nf.svg diff --git a/assets/img/flags/ng.svg b/docs/assets/img/flags/ng.svg similarity index 100% rename from assets/img/flags/ng.svg rename to docs/assets/img/flags/ng.svg diff --git a/assets/img/flags/ni.svg b/docs/assets/img/flags/ni.svg similarity index 100% rename from assets/img/flags/ni.svg rename to docs/assets/img/flags/ni.svg diff --git a/assets/img/flags/nl.svg b/docs/assets/img/flags/nl.svg similarity index 100% rename from assets/img/flags/nl.svg rename to docs/assets/img/flags/nl.svg diff --git a/assets/img/flags/no.svg b/docs/assets/img/flags/no.svg similarity index 100% rename from assets/img/flags/no.svg rename to docs/assets/img/flags/no.svg diff --git a/assets/img/flags/np.svg b/docs/assets/img/flags/np.svg similarity index 100% rename from assets/img/flags/np.svg rename to docs/assets/img/flags/np.svg diff --git a/assets/img/flags/nr.svg b/docs/assets/img/flags/nr.svg similarity index 100% rename from assets/img/flags/nr.svg rename to docs/assets/img/flags/nr.svg diff --git a/assets/img/flags/nu.svg b/docs/assets/img/flags/nu.svg similarity index 100% rename from assets/img/flags/nu.svg rename to docs/assets/img/flags/nu.svg diff --git a/assets/img/flags/nz.svg b/docs/assets/img/flags/nz.svg similarity index 100% rename from assets/img/flags/nz.svg rename to docs/assets/img/flags/nz.svg diff --git a/assets/img/flags/om.svg b/docs/assets/img/flags/om.svg similarity index 100% rename from assets/img/flags/om.svg rename to docs/assets/img/flags/om.svg diff --git a/assets/img/flags/pa.svg b/docs/assets/img/flags/pa.svg similarity index 100% rename from assets/img/flags/pa.svg rename to docs/assets/img/flags/pa.svg diff --git a/assets/img/flags/pe.svg b/docs/assets/img/flags/pe.svg similarity index 100% rename from assets/img/flags/pe.svg rename to docs/assets/img/flags/pe.svg diff --git a/assets/img/flags/pf.svg b/docs/assets/img/flags/pf.svg similarity index 100% rename from assets/img/flags/pf.svg rename to docs/assets/img/flags/pf.svg diff --git a/assets/img/flags/pg.svg b/docs/assets/img/flags/pg.svg similarity index 100% rename from assets/img/flags/pg.svg rename to docs/assets/img/flags/pg.svg diff --git a/assets/img/flags/ph.svg b/docs/assets/img/flags/ph.svg similarity index 100% rename from assets/img/flags/ph.svg rename to docs/assets/img/flags/ph.svg diff --git a/assets/img/flags/pk.svg b/docs/assets/img/flags/pk.svg similarity index 100% rename from assets/img/flags/pk.svg rename to docs/assets/img/flags/pk.svg diff --git a/assets/img/flags/pl.svg b/docs/assets/img/flags/pl.svg similarity index 100% rename from assets/img/flags/pl.svg rename to docs/assets/img/flags/pl.svg diff --git a/assets/img/flags/pm.svg b/docs/assets/img/flags/pm.svg similarity index 100% rename from assets/img/flags/pm.svg rename to docs/assets/img/flags/pm.svg diff --git a/assets/img/flags/pn.svg b/docs/assets/img/flags/pn.svg similarity index 100% rename from assets/img/flags/pn.svg rename to docs/assets/img/flags/pn.svg diff --git a/assets/img/flags/pr.svg b/docs/assets/img/flags/pr.svg similarity index 100% rename from assets/img/flags/pr.svg rename to docs/assets/img/flags/pr.svg diff --git a/assets/img/flags/ps.svg b/docs/assets/img/flags/ps.svg similarity index 100% rename from assets/img/flags/ps.svg rename to docs/assets/img/flags/ps.svg diff --git a/assets/img/flags/pt.svg b/docs/assets/img/flags/pt.svg similarity index 100% rename from assets/img/flags/pt.svg rename to docs/assets/img/flags/pt.svg diff --git a/assets/img/flags/pw.svg b/docs/assets/img/flags/pw.svg similarity index 100% rename from assets/img/flags/pw.svg rename to docs/assets/img/flags/pw.svg diff --git a/assets/img/flags/py.svg b/docs/assets/img/flags/py.svg similarity index 100% rename from assets/img/flags/py.svg rename to docs/assets/img/flags/py.svg diff --git a/assets/img/flags/qa.svg b/docs/assets/img/flags/qa.svg similarity index 100% rename from assets/img/flags/qa.svg rename to docs/assets/img/flags/qa.svg diff --git a/assets/img/flags/re.svg b/docs/assets/img/flags/re.svg similarity index 100% rename from assets/img/flags/re.svg rename to docs/assets/img/flags/re.svg diff --git a/assets/img/flags/ro.svg b/docs/assets/img/flags/ro.svg similarity index 100% rename from assets/img/flags/ro.svg rename to docs/assets/img/flags/ro.svg diff --git a/assets/img/flags/rs.svg b/docs/assets/img/flags/rs.svg similarity index 100% rename from assets/img/flags/rs.svg rename to docs/assets/img/flags/rs.svg diff --git a/assets/img/flags/ru.svg b/docs/assets/img/flags/ru.svg similarity index 100% rename from assets/img/flags/ru.svg rename to docs/assets/img/flags/ru.svg diff --git a/assets/img/flags/rw.svg b/docs/assets/img/flags/rw.svg similarity index 100% rename from assets/img/flags/rw.svg rename to docs/assets/img/flags/rw.svg diff --git a/assets/img/flags/sa.svg b/docs/assets/img/flags/sa.svg similarity index 100% rename from assets/img/flags/sa.svg rename to docs/assets/img/flags/sa.svg diff --git a/assets/img/flags/sb.svg b/docs/assets/img/flags/sb.svg similarity index 100% rename from assets/img/flags/sb.svg rename to docs/assets/img/flags/sb.svg diff --git a/assets/img/flags/sc.svg b/docs/assets/img/flags/sc.svg similarity index 100% rename from assets/img/flags/sc.svg rename to docs/assets/img/flags/sc.svg diff --git a/assets/img/flags/sd.svg b/docs/assets/img/flags/sd.svg similarity index 100% rename from assets/img/flags/sd.svg rename to docs/assets/img/flags/sd.svg diff --git a/assets/img/flags/se.svg b/docs/assets/img/flags/se.svg similarity index 100% rename from assets/img/flags/se.svg rename to docs/assets/img/flags/se.svg diff --git a/assets/img/flags/sg.svg b/docs/assets/img/flags/sg.svg similarity index 100% rename from assets/img/flags/sg.svg rename to docs/assets/img/flags/sg.svg diff --git a/assets/img/flags/sh.svg b/docs/assets/img/flags/sh.svg similarity index 100% rename from assets/img/flags/sh.svg rename to docs/assets/img/flags/sh.svg diff --git a/assets/img/flags/si.svg b/docs/assets/img/flags/si.svg similarity index 100% rename from assets/img/flags/si.svg rename to docs/assets/img/flags/si.svg diff --git a/assets/img/flags/sj.svg b/docs/assets/img/flags/sj.svg similarity index 100% rename from assets/img/flags/sj.svg rename to docs/assets/img/flags/sj.svg diff --git a/assets/img/flags/sk.svg b/docs/assets/img/flags/sk.svg similarity index 100% rename from assets/img/flags/sk.svg rename to docs/assets/img/flags/sk.svg diff --git a/assets/img/flags/sl.svg b/docs/assets/img/flags/sl.svg similarity index 100% rename from assets/img/flags/sl.svg rename to docs/assets/img/flags/sl.svg diff --git a/assets/img/flags/sm.svg b/docs/assets/img/flags/sm.svg similarity index 100% rename from assets/img/flags/sm.svg rename to docs/assets/img/flags/sm.svg diff --git a/assets/img/flags/sn.svg b/docs/assets/img/flags/sn.svg similarity index 100% rename from assets/img/flags/sn.svg rename to docs/assets/img/flags/sn.svg diff --git a/assets/img/flags/so.svg b/docs/assets/img/flags/so.svg similarity index 100% rename from assets/img/flags/so.svg rename to docs/assets/img/flags/so.svg diff --git a/assets/img/flags/sr.svg b/docs/assets/img/flags/sr.svg similarity index 100% rename from assets/img/flags/sr.svg rename to docs/assets/img/flags/sr.svg diff --git a/assets/img/flags/ss.svg b/docs/assets/img/flags/ss.svg similarity index 100% rename from assets/img/flags/ss.svg rename to docs/assets/img/flags/ss.svg diff --git a/assets/img/flags/st.svg b/docs/assets/img/flags/st.svg similarity index 100% rename from assets/img/flags/st.svg rename to docs/assets/img/flags/st.svg diff --git a/assets/img/flags/sv.svg b/docs/assets/img/flags/sv.svg similarity index 100% rename from assets/img/flags/sv.svg rename to docs/assets/img/flags/sv.svg diff --git a/assets/img/flags/sx.svg b/docs/assets/img/flags/sx.svg similarity index 100% rename from assets/img/flags/sx.svg rename to docs/assets/img/flags/sx.svg diff --git a/assets/img/flags/sy.svg b/docs/assets/img/flags/sy.svg similarity index 100% rename from assets/img/flags/sy.svg rename to docs/assets/img/flags/sy.svg diff --git a/assets/img/flags/sz.svg b/docs/assets/img/flags/sz.svg similarity index 100% rename from assets/img/flags/sz.svg rename to docs/assets/img/flags/sz.svg diff --git a/assets/img/flags/tc.svg b/docs/assets/img/flags/tc.svg similarity index 100% rename from assets/img/flags/tc.svg rename to docs/assets/img/flags/tc.svg diff --git a/assets/img/flags/td.svg b/docs/assets/img/flags/td.svg similarity index 100% rename from assets/img/flags/td.svg rename to docs/assets/img/flags/td.svg diff --git a/assets/img/flags/tf.svg b/docs/assets/img/flags/tf.svg similarity index 100% rename from assets/img/flags/tf.svg rename to docs/assets/img/flags/tf.svg diff --git a/assets/img/flags/tg.svg b/docs/assets/img/flags/tg.svg similarity index 100% rename from assets/img/flags/tg.svg rename to docs/assets/img/flags/tg.svg diff --git a/assets/img/flags/th.svg b/docs/assets/img/flags/th.svg similarity index 100% rename from assets/img/flags/th.svg rename to docs/assets/img/flags/th.svg diff --git a/assets/img/flags/tj.svg b/docs/assets/img/flags/tj.svg similarity index 100% rename from assets/img/flags/tj.svg rename to docs/assets/img/flags/tj.svg diff --git a/assets/img/flags/tk.svg b/docs/assets/img/flags/tk.svg similarity index 100% rename from assets/img/flags/tk.svg rename to docs/assets/img/flags/tk.svg diff --git a/assets/img/flags/tl.svg b/docs/assets/img/flags/tl.svg similarity index 100% rename from assets/img/flags/tl.svg rename to docs/assets/img/flags/tl.svg diff --git a/assets/img/flags/tm.svg b/docs/assets/img/flags/tm.svg similarity index 100% rename from assets/img/flags/tm.svg rename to docs/assets/img/flags/tm.svg diff --git a/assets/img/flags/tn.svg b/docs/assets/img/flags/tn.svg similarity index 100% rename from assets/img/flags/tn.svg rename to docs/assets/img/flags/tn.svg diff --git a/assets/img/flags/to.svg b/docs/assets/img/flags/to.svg similarity index 100% rename from assets/img/flags/to.svg rename to docs/assets/img/flags/to.svg diff --git a/assets/img/flags/tr.svg b/docs/assets/img/flags/tr.svg similarity index 100% rename from assets/img/flags/tr.svg rename to docs/assets/img/flags/tr.svg diff --git a/assets/img/flags/tt.svg b/docs/assets/img/flags/tt.svg similarity index 100% rename from assets/img/flags/tt.svg rename to docs/assets/img/flags/tt.svg diff --git a/assets/img/flags/tv.svg b/docs/assets/img/flags/tv.svg similarity index 100% rename from assets/img/flags/tv.svg rename to docs/assets/img/flags/tv.svg diff --git a/assets/img/flags/tw.svg b/docs/assets/img/flags/tw.svg similarity index 100% rename from assets/img/flags/tw.svg rename to docs/assets/img/flags/tw.svg diff --git a/assets/img/flags/tz.svg b/docs/assets/img/flags/tz.svg similarity index 100% rename from assets/img/flags/tz.svg rename to docs/assets/img/flags/tz.svg diff --git a/assets/img/flags/ua.svg b/docs/assets/img/flags/ua.svg similarity index 100% rename from assets/img/flags/ua.svg rename to docs/assets/img/flags/ua.svg diff --git a/assets/img/flags/ug.svg b/docs/assets/img/flags/ug.svg similarity index 100% rename from assets/img/flags/ug.svg rename to docs/assets/img/flags/ug.svg diff --git a/assets/img/flags/um.svg b/docs/assets/img/flags/um.svg similarity index 100% rename from assets/img/flags/um.svg rename to docs/assets/img/flags/um.svg diff --git a/assets/img/flags/un.svg b/docs/assets/img/flags/un.svg similarity index 100% rename from assets/img/flags/un.svg rename to docs/assets/img/flags/un.svg diff --git a/assets/img/flags/us.svg b/docs/assets/img/flags/us.svg similarity index 100% rename from assets/img/flags/us.svg rename to docs/assets/img/flags/us.svg diff --git a/assets/img/flags/uy.svg b/docs/assets/img/flags/uy.svg similarity index 100% rename from assets/img/flags/uy.svg rename to docs/assets/img/flags/uy.svg diff --git a/assets/img/flags/uz.svg b/docs/assets/img/flags/uz.svg similarity index 100% rename from assets/img/flags/uz.svg rename to docs/assets/img/flags/uz.svg diff --git a/assets/img/flags/va.svg b/docs/assets/img/flags/va.svg similarity index 100% rename from assets/img/flags/va.svg rename to docs/assets/img/flags/va.svg diff --git a/assets/img/flags/vc.svg b/docs/assets/img/flags/vc.svg similarity index 100% rename from assets/img/flags/vc.svg rename to docs/assets/img/flags/vc.svg diff --git a/assets/img/flags/ve.svg b/docs/assets/img/flags/ve.svg similarity index 100% rename from assets/img/flags/ve.svg rename to docs/assets/img/flags/ve.svg diff --git a/assets/img/flags/vg.svg b/docs/assets/img/flags/vg.svg similarity index 100% rename from assets/img/flags/vg.svg rename to docs/assets/img/flags/vg.svg diff --git a/assets/img/flags/vi.svg b/docs/assets/img/flags/vi.svg similarity index 100% rename from assets/img/flags/vi.svg rename to docs/assets/img/flags/vi.svg diff --git a/assets/img/flags/vn.svg b/docs/assets/img/flags/vn.svg similarity index 100% rename from assets/img/flags/vn.svg rename to docs/assets/img/flags/vn.svg diff --git a/assets/img/flags/vu.svg b/docs/assets/img/flags/vu.svg similarity index 100% rename from assets/img/flags/vu.svg rename to docs/assets/img/flags/vu.svg diff --git a/assets/img/flags/wf.svg b/docs/assets/img/flags/wf.svg similarity index 100% rename from assets/img/flags/wf.svg rename to docs/assets/img/flags/wf.svg diff --git a/assets/img/flags/ws.svg b/docs/assets/img/flags/ws.svg similarity index 100% rename from assets/img/flags/ws.svg rename to docs/assets/img/flags/ws.svg diff --git a/assets/img/flags/ye.svg b/docs/assets/img/flags/ye.svg similarity index 100% rename from assets/img/flags/ye.svg rename to docs/assets/img/flags/ye.svg diff --git a/assets/img/flags/yt.svg b/docs/assets/img/flags/yt.svg similarity index 100% rename from assets/img/flags/yt.svg rename to docs/assets/img/flags/yt.svg diff --git a/assets/img/flags/za.svg b/docs/assets/img/flags/za.svg similarity index 100% rename from assets/img/flags/za.svg rename to docs/assets/img/flags/za.svg diff --git a/assets/img/flags/zm.svg b/docs/assets/img/flags/zm.svg similarity index 100% rename from assets/img/flags/zm.svg rename to docs/assets/img/flags/zm.svg diff --git a/assets/img/flags/zw.svg b/docs/assets/img/flags/zw.svg similarity index 100% rename from assets/img/flags/zw.svg rename to docs/assets/img/flags/zw.svg diff --git a/assets/img/flags/zz.svg b/docs/assets/img/flags/zz.svg similarity index 100% rename from assets/img/flags/zz.svg rename to docs/assets/img/flags/zz.svg diff --git a/assets/img/ios/dnscloak.png b/docs/assets/img/ios/dnscloak.png similarity index 100% rename from assets/img/ios/dnscloak.png rename to docs/assets/img/ios/dnscloak.png diff --git a/assets/img/layout/android-chrome-192x192.png b/docs/assets/img/layout/android-chrome-192x192.png similarity index 100% rename from assets/img/layout/android-chrome-192x192.png rename to docs/assets/img/layout/android-chrome-192x192.png diff --git a/assets/img/layout/android-chrome-512x512.png b/docs/assets/img/layout/android-chrome-512x512.png similarity index 100% rename from assets/img/layout/android-chrome-512x512.png rename to docs/assets/img/layout/android-chrome-512x512.png diff --git a/assets/img/layout/apple-touch-icon.png b/docs/assets/img/layout/apple-touch-icon.png similarity index 100% rename from assets/img/layout/apple-touch-icon.png rename to docs/assets/img/layout/apple-touch-icon.png diff --git a/assets/img/layout/favicon-16x16.png b/docs/assets/img/layout/favicon-16x16.png similarity index 100% rename from assets/img/layout/favicon-16x16.png rename to docs/assets/img/layout/favicon-16x16.png diff --git a/assets/img/layout/favicon-32x32.png b/docs/assets/img/layout/favicon-32x32.png similarity index 100% rename from assets/img/layout/favicon-32x32.png rename to docs/assets/img/layout/favicon-32x32.png diff --git a/assets/img/layout/favicon.ico b/docs/assets/img/layout/favicon.ico similarity index 100% rename from assets/img/layout/favicon.ico rename to docs/assets/img/layout/favicon.ico diff --git a/assets/img/layout/mstile-150x150.png b/docs/assets/img/layout/mstile-150x150.png similarity index 100% rename from assets/img/layout/mstile-150x150.png rename to docs/assets/img/layout/mstile-150x150.png diff --git a/assets/img/layout/network-anonymous-routing.svg b/docs/assets/img/layout/network-anonymous-routing.svg similarity index 100% rename from assets/img/layout/network-anonymous-routing.svg rename to docs/assets/img/layout/network-anonymous-routing.svg diff --git a/assets/img/layout/network-centralized.svg b/docs/assets/img/layout/network-centralized.svg similarity index 100% rename from assets/img/layout/network-centralized.svg rename to docs/assets/img/layout/network-centralized.svg diff --git a/assets/img/layout/network-decentralized.svg b/docs/assets/img/layout/network-decentralized.svg similarity index 100% rename from assets/img/layout/network-decentralized.svg rename to docs/assets/img/layout/network-decentralized.svg diff --git a/assets/img/layout/network-distributed.svg b/docs/assets/img/layout/network-distributed.svg similarity index 100% rename from assets/img/layout/network-distributed.svg rename to docs/assets/img/layout/network-distributed.svg diff --git a/assets/img/layout/privacy-guides-logo-dark.svg b/docs/assets/img/layout/privacy-guides-logo-dark.svg similarity index 100% rename from assets/img/layout/privacy-guides-logo-dark.svg rename to docs/assets/img/layout/privacy-guides-logo-dark.svg diff --git a/assets/img/layout/privacy-guides-logo-light.svg b/docs/assets/img/layout/privacy-guides-logo-light.svg similarity index 100% rename from assets/img/layout/privacy-guides-logo-light.svg rename to docs/assets/img/layout/privacy-guides-logo-light.svg diff --git a/assets/img/layout/privacy-guides-logo-notext-colorbg.svg b/docs/assets/img/layout/privacy-guides-logo-notext-colorbg.svg similarity index 100% rename from assets/img/layout/privacy-guides-logo-notext-colorbg.svg rename to docs/assets/img/layout/privacy-guides-logo-notext-colorbg.svg diff --git a/assets/img/layout/privacy-guides-logo-notext.svg b/docs/assets/img/layout/privacy-guides-logo-notext.svg similarity index 100% rename from assets/img/layout/privacy-guides-logo-notext.svg rename to docs/assets/img/layout/privacy-guides-logo-notext.svg diff --git a/assets/img/layout/privacy-guides-logo.png b/docs/assets/img/layout/privacy-guides-logo.png similarity index 100% rename from assets/img/layout/privacy-guides-logo.png rename to docs/assets/img/layout/privacy-guides-logo.png diff --git a/assets/img/layout/privacy-guides-logo.svg b/docs/assets/img/layout/privacy-guides-logo.svg similarity index 100% rename from assets/img/layout/privacy-guides-logo.svg rename to docs/assets/img/layout/privacy-guides-logo.svg diff --git a/assets/img/layout/safari-pinned-tab.svg b/docs/assets/img/layout/safari-pinned-tab.svg similarity index 100% rename from assets/img/layout/safari-pinned-tab.svg rename to docs/assets/img/layout/safari-pinned-tab.svg diff --git a/assets/img/legacy_png/3rd-party/claws_mail.png b/docs/assets/img/legacy_png/3rd-party/claws_mail.png similarity index 100% rename from assets/img/legacy_png/3rd-party/claws_mail.png rename to docs/assets/img/legacy_png/3rd-party/claws_mail.png diff --git a/assets/img/legacy_png/3rd-party/datacell.png b/docs/assets/img/legacy_png/3rd-party/datacell.png similarity index 100% rename from assets/img/legacy_png/3rd-party/datacell.png rename to docs/assets/img/legacy_png/3rd-party/datacell.png diff --git a/assets/img/legacy_png/3rd-party/orange_website.png b/docs/assets/img/legacy_png/3rd-party/orange_website.png similarity index 100% rename from assets/img/legacy_png/3rd-party/orange_website.png rename to docs/assets/img/legacy_png/3rd-party/orange_website.png diff --git a/assets/img/legacy_png/3rd-party/raddle.png b/docs/assets/img/legacy_png/3rd-party/raddle.png similarity index 100% rename from assets/img/legacy_png/3rd-party/raddle.png rename to docs/assets/img/legacy_png/3rd-party/raddle.png diff --git a/assets/img/legacy_png/3rd-party/runbox-dark.png b/docs/assets/img/legacy_png/3rd-party/runbox-dark.png similarity index 100% rename from assets/img/legacy_png/3rd-party/runbox-dark.png rename to docs/assets/img/legacy_png/3rd-party/runbox-dark.png diff --git a/assets/img/legacy_png/3rd-party/runbox.png b/docs/assets/img/legacy_png/3rd-party/runbox.png similarity index 100% rename from assets/img/legacy_png/3rd-party/runbox.png rename to docs/assets/img/legacy_png/3rd-party/runbox.png diff --git a/assets/img/legacy_png/3rd-party/sponsors/awesomeresources.png b/docs/assets/img/legacy_png/3rd-party/sponsors/awesomeresources.png similarity index 100% rename from assets/img/legacy_png/3rd-party/sponsors/awesomeresources.png rename to docs/assets/img/legacy_png/3rd-party/sponsors/awesomeresources.png diff --git a/assets/img/legacy_png/3rd-party/sponsors/deleteme.png b/docs/assets/img/legacy_png/3rd-party/sponsors/deleteme.png similarity index 100% rename from assets/img/legacy_png/3rd-party/sponsors/deleteme.png rename to docs/assets/img/legacy_png/3rd-party/sponsors/deleteme.png diff --git a/assets/img/legacy_png/3rd-party/sponsors/insurgo.png b/docs/assets/img/legacy_png/3rd-party/sponsors/insurgo.png similarity index 100% rename from assets/img/legacy_png/3rd-party/sponsors/insurgo.png rename to docs/assets/img/legacy_png/3rd-party/sponsors/insurgo.png diff --git a/assets/img/legacy_png/3rd-party/sponsors/looktotheright.png b/docs/assets/img/legacy_png/3rd-party/sponsors/looktotheright.png similarity index 100% rename from assets/img/legacy_png/3rd-party/sponsors/looktotheright.png rename to docs/assets/img/legacy_png/3rd-party/sponsors/looktotheright.png diff --git a/assets/img/legacy_png/3rd-party/sponsors/oeck-dark.png b/docs/assets/img/legacy_png/3rd-party/sponsors/oeck-dark.png similarity index 100% rename from assets/img/legacy_png/3rd-party/sponsors/oeck-dark.png rename to docs/assets/img/legacy_png/3rd-party/sponsors/oeck-dark.png diff --git a/assets/img/legacy_png/3rd-party/sponsors/oeck.png b/docs/assets/img/legacy_png/3rd-party/sponsors/oeck.png similarity index 100% rename from assets/img/legacy_png/3rd-party/sponsors/oeck.png rename to docs/assets/img/legacy_png/3rd-party/sponsors/oeck.png diff --git a/assets/img/legacy_png/3rd-party/sponsors/scamsinfo.png b/docs/assets/img/legacy_png/3rd-party/sponsors/scamsinfo.png similarity index 100% rename from assets/img/legacy_png/3rd-party/sponsors/scamsinfo.png rename to docs/assets/img/legacy_png/3rd-party/sponsors/scamsinfo.png diff --git a/assets/img/legacy_png/3rd-party/umatrix.png b/docs/assets/img/legacy_png/3rd-party/umatrix.png similarity index 100% rename from assets/img/legacy_png/3rd-party/umatrix.png rename to docs/assets/img/legacy_png/3rd-party/umatrix.png diff --git a/assets/img/legacy_png/favicons/android-chrome-192x192.png b/docs/assets/img/legacy_png/favicons/android-chrome-192x192.png similarity index 100% rename from assets/img/legacy_png/favicons/android-chrome-192x192.png rename to docs/assets/img/legacy_png/favicons/android-chrome-192x192.png diff --git a/assets/img/legacy_png/favicons/android-chrome-512x512.png b/docs/assets/img/legacy_png/favicons/android-chrome-512x512.png similarity index 100% rename from assets/img/legacy_png/favicons/android-chrome-512x512.png rename to docs/assets/img/legacy_png/favicons/android-chrome-512x512.png diff --git a/assets/img/legacy_png/favicons/apple-touch-icon.png b/docs/assets/img/legacy_png/favicons/apple-touch-icon.png similarity index 100% rename from assets/img/legacy_png/favicons/apple-touch-icon.png rename to docs/assets/img/legacy_png/favicons/apple-touch-icon.png diff --git a/assets/img/legacy_png/favicons/browserconfig.xml b/docs/assets/img/legacy_png/favicons/browserconfig.xml similarity index 100% rename from assets/img/legacy_png/favicons/browserconfig.xml rename to docs/assets/img/legacy_png/favicons/browserconfig.xml diff --git a/assets/img/legacy_png/favicons/favicon-16x16.png b/docs/assets/img/legacy_png/favicons/favicon-16x16.png similarity index 100% rename from assets/img/legacy_png/favicons/favicon-16x16.png rename to docs/assets/img/legacy_png/favicons/favicon-16x16.png diff --git a/assets/img/legacy_png/favicons/favicon-32x32.png b/docs/assets/img/legacy_png/favicons/favicon-32x32.png similarity index 100% rename from assets/img/legacy_png/favicons/favicon-32x32.png rename to docs/assets/img/legacy_png/favicons/favicon-32x32.png diff --git a/assets/img/legacy_png/favicons/favicon.ico b/docs/assets/img/legacy_png/favicons/favicon.ico similarity index 100% rename from assets/img/legacy_png/favicons/favicon.ico rename to docs/assets/img/legacy_png/favicons/favicon.ico diff --git a/assets/img/legacy_png/favicons/mstile-144x144.png b/docs/assets/img/legacy_png/favicons/mstile-144x144.png similarity index 100% rename from assets/img/legacy_png/favicons/mstile-144x144.png rename to docs/assets/img/legacy_png/favicons/mstile-144x144.png diff --git a/assets/img/legacy_png/favicons/mstile-150x150.png b/docs/assets/img/legacy_png/favicons/mstile-150x150.png similarity index 100% rename from assets/img/legacy_png/favicons/mstile-150x150.png rename to docs/assets/img/legacy_png/favicons/mstile-150x150.png diff --git a/assets/img/legacy_png/favicons/mstile-310x150.png b/docs/assets/img/legacy_png/favicons/mstile-310x150.png similarity index 100% rename from assets/img/legacy_png/favicons/mstile-310x150.png rename to docs/assets/img/legacy_png/favicons/mstile-310x150.png diff --git a/assets/img/legacy_png/favicons/mstile-310x310.png b/docs/assets/img/legacy_png/favicons/mstile-310x310.png similarity index 100% rename from assets/img/legacy_png/favicons/mstile-310x310.png rename to docs/assets/img/legacy_png/favicons/mstile-310x310.png diff --git a/assets/img/legacy_png/favicons/mstile-70x70.png b/docs/assets/img/legacy_png/favicons/mstile-70x70.png similarity index 100% rename from assets/img/legacy_png/favicons/mstile-70x70.png rename to docs/assets/img/legacy_png/favicons/mstile-70x70.png diff --git a/assets/img/legacy_png/favicons/safari-pinned-tab.svg b/docs/assets/img/legacy_png/favicons/safari-pinned-tab.svg similarity index 100% rename from assets/img/legacy_png/favicons/safari-pinned-tab.svg rename to docs/assets/img/legacy_png/favicons/safari-pinned-tab.svg diff --git a/assets/img/legacy_png/favicons/site.webmanifest b/docs/assets/img/legacy_png/favicons/site.webmanifest similarity index 100% rename from assets/img/legacy_png/favicons/site.webmanifest rename to docs/assets/img/legacy_png/favicons/site.webmanifest diff --git a/assets/img/legacy_png/layout/glenn_greenwald.png b/docs/assets/img/legacy_png/layout/glenn_greenwald.png similarity index 100% rename from assets/img/legacy_png/layout/glenn_greenwald.png rename to docs/assets/img/legacy_png/layout/glenn_greenwald.png diff --git a/assets/img/legacy_png/layout/logo.png b/docs/assets/img/legacy_png/layout/logo.png similarity index 100% rename from assets/img/legacy_png/layout/logo.png rename to docs/assets/img/legacy_png/layout/logo.png diff --git a/assets/img/legacy_png/layout/logo_smaller.png b/docs/assets/img/legacy_png/layout/logo_smaller.png similarity index 100% rename from assets/img/legacy_png/layout/logo_smaller.png rename to docs/assets/img/legacy_png/layout/logo_smaller.png diff --git a/assets/img/legacy_png/layout/shield.png b/docs/assets/img/legacy_png/layout/shield.png similarity index 100% rename from assets/img/legacy_png/layout/shield.png rename to docs/assets/img/legacy_png/layout/shield.png diff --git a/assets/img/legacy_png/layout/this-video-is-sponsored-by-vpn.png b/docs/assets/img/legacy_png/layout/this-video-is-sponsored-by-vpn.png similarity index 100% rename from assets/img/legacy_png/layout/this-video-is-sponsored-by-vpn.png rename to docs/assets/img/legacy_png/layout/this-video-is-sponsored-by-vpn.png diff --git a/assets/img/legacy_svg/3rd-party/discourse.svg b/docs/assets/img/legacy_svg/3rd-party/discourse.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/discourse.svg rename to docs/assets/img/legacy_svg/3rd-party/discourse.svg diff --git a/assets/img/legacy_svg/3rd-party/duckduckgo.svg b/docs/assets/img/legacy_svg/3rd-party/duckduckgo.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/duckduckgo.svg rename to docs/assets/img/legacy_svg/3rd-party/duckduckgo.svg diff --git a/assets/img/legacy_svg/3rd-party/etag_stoppa.svg b/docs/assets/img/legacy_svg/3rd-party/etag_stoppa.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/etag_stoppa.svg rename to docs/assets/img/legacy_svg/3rd-party/etag_stoppa.svg diff --git a/assets/img/legacy_svg/3rd-party/firefox_browser.svg b/docs/assets/img/legacy_svg/3rd-party/firefox_browser.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/firefox_browser.svg rename to docs/assets/img/legacy_svg/3rd-party/firefox_browser.svg diff --git a/assets/img/legacy_svg/3rd-party/firefox_send.svg b/docs/assets/img/legacy_svg/3rd-party/firefox_send.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/firefox_send.svg rename to docs/assets/img/legacy_svg/3rd-party/firefox_send.svg diff --git a/assets/img/legacy_svg/3rd-party/i2p-dark.svg b/docs/assets/img/legacy_svg/3rd-party/i2p-dark.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/i2p-dark.svg rename to docs/assets/img/legacy_svg/3rd-party/i2p-dark.svg diff --git a/assets/img/legacy_svg/3rd-party/jami.svg b/docs/assets/img/legacy_svg/3rd-party/jami.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/jami.svg rename to docs/assets/img/legacy_svg/3rd-party/jami.svg diff --git a/assets/img/legacy_svg/3rd-party/kolab_now-dark.svg b/docs/assets/img/legacy_svg/3rd-party/kolab_now-dark.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/kolab_now-dark.svg rename to docs/assets/img/legacy_svg/3rd-party/kolab_now-dark.svg diff --git a/assets/img/legacy_svg/3rd-party/kolab_now.svg b/docs/assets/img/legacy_svg/3rd-party/kolab_now.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/kolab_now.svg rename to docs/assets/img/legacy_svg/3rd-party/kolab_now.svg diff --git a/assets/img/legacy_svg/3rd-party/lbrytv.svg b/docs/assets/img/legacy_svg/3rd-party/lbrytv.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/lbrytv.svg rename to docs/assets/img/legacy_svg/3rd-party/lbrytv.svg diff --git a/assets/img/legacy_svg/3rd-party/lesspass.svg b/docs/assets/img/legacy_svg/3rd-party/lesspass.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/lesspass.svg rename to docs/assets/img/legacy_svg/3rd-party/lesspass.svg diff --git a/assets/img/legacy_svg/3rd-party/mailfence-dark.svg b/docs/assets/img/legacy_svg/3rd-party/mailfence-dark.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/mailfence-dark.svg rename to docs/assets/img/legacy_svg/3rd-party/mailfence-dark.svg diff --git a/assets/img/legacy_svg/3rd-party/mailfence.svg b/docs/assets/img/legacy_svg/3rd-party/mailfence.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/mailfence.svg rename to docs/assets/img/legacy_svg/3rd-party/mailfence.svg diff --git a/assets/img/legacy_svg/3rd-party/matrix-dark.svg b/docs/assets/img/legacy_svg/3rd-party/matrix-dark.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/matrix-dark.svg rename to docs/assets/img/legacy_svg/3rd-party/matrix-dark.svg diff --git a/assets/img/legacy_svg/3rd-party/matrix.svg b/docs/assets/img/legacy_svg/3rd-party/matrix.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/matrix.svg rename to docs/assets/img/legacy_svg/3rd-party/matrix.svg diff --git a/assets/img/legacy_svg/3rd-party/mumble.svg b/docs/assets/img/legacy_svg/3rd-party/mumble.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/mumble.svg rename to docs/assets/img/legacy_svg/3rd-party/mumble.svg diff --git a/assets/img/legacy_svg/3rd-party/qwant.svg b/docs/assets/img/legacy_svg/3rd-party/qwant.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/qwant.svg rename to docs/assets/img/legacy_svg/3rd-party/qwant.svg diff --git a/assets/img/legacy_svg/3rd-party/retroshare.svg b/docs/assets/img/legacy_svg/3rd-party/retroshare.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/retroshare.svg rename to docs/assets/img/legacy_svg/3rd-party/retroshare.svg diff --git a/assets/img/legacy_svg/3rd-party/rocketchat.svg b/docs/assets/img/legacy_svg/3rd-party/rocketchat.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/rocketchat.svg rename to docs/assets/img/legacy_svg/3rd-party/rocketchat.svg diff --git a/assets/img/legacy_svg/3rd-party/sparkleshare.svg b/docs/assets/img/legacy_svg/3rd-party/sparkleshare.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/sparkleshare.svg rename to docs/assets/img/legacy_svg/3rd-party/sparkleshare.svg diff --git a/assets/img/legacy_svg/3rd-party/sponsors/safing-dark.svg b/docs/assets/img/legacy_svg/3rd-party/sponsors/safing-dark.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/sponsors/safing-dark.svg rename to docs/assets/img/legacy_svg/3rd-party/sponsors/safing-dark.svg diff --git a/assets/img/legacy_svg/3rd-party/sponsors/safing.svg b/docs/assets/img/legacy_svg/3rd-party/sponsors/safing.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/sponsors/safing.svg rename to docs/assets/img/legacy_svg/3rd-party/sponsors/safing.svg diff --git a/assets/img/legacy_svg/3rd-party/sponsors/techlore.svg b/docs/assets/img/legacy_svg/3rd-party/sponsors/techlore.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/sponsors/techlore.svg rename to docs/assets/img/legacy_svg/3rd-party/sponsors/techlore.svg diff --git a/assets/img/legacy_svg/3rd-party/writeas-dark.svg b/docs/assets/img/legacy_svg/3rd-party/writeas-dark.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/writeas-dark.svg rename to docs/assets/img/legacy_svg/3rd-party/writeas-dark.svg diff --git a/assets/img/legacy_svg/layout/brand/horizontal.svg b/docs/assets/img/legacy_svg/layout/brand/horizontal.svg similarity index 100% rename from assets/img/legacy_svg/layout/brand/horizontal.svg rename to docs/assets/img/legacy_svg/layout/brand/horizontal.svg diff --git a/assets/img/legacy_svg/layout/brand/square-transparent.svg b/docs/assets/img/legacy_svg/layout/brand/square-transparent.svg similarity index 100% rename from assets/img/legacy_svg/layout/brand/square-transparent.svg rename to docs/assets/img/legacy_svg/layout/brand/square-transparent.svg diff --git a/assets/img/legacy_svg/layout/brand/vertical.svg b/docs/assets/img/legacy_svg/layout/brand/vertical.svg similarity index 100% rename from assets/img/legacy_svg/layout/brand/vertical.svg rename to docs/assets/img/legacy_svg/layout/brand/vertical.svg diff --git a/assets/img/legacy_svg/layout/email.svg b/docs/assets/img/legacy_svg/layout/email.svg similarity index 100% rename from assets/img/legacy_svg/layout/email.svg rename to docs/assets/img/legacy_svg/layout/email.svg diff --git a/assets/img/legacy_svg/qr/bch.svg b/docs/assets/img/legacy_svg/qr/bch.svg similarity index 100% rename from assets/img/legacy_svg/qr/bch.svg rename to docs/assets/img/legacy_svg/qr/bch.svg diff --git a/assets/img/legacy_svg/qr/btc.svg b/docs/assets/img/legacy_svg/qr/btc.svg similarity index 100% rename from assets/img/legacy_svg/qr/btc.svg rename to docs/assets/img/legacy_svg/qr/btc.svg diff --git a/assets/img/legacy_svg/qr/eth.svg b/docs/assets/img/legacy_svg/qr/eth.svg similarity index 100% rename from assets/img/legacy_svg/qr/eth.svg rename to docs/assets/img/legacy_svg/qr/eth.svg diff --git a/assets/img/legacy_svg/qr/ltc.svg b/docs/assets/img/legacy_svg/qr/ltc.svg similarity index 100% rename from assets/img/legacy_svg/qr/ltc.svg rename to docs/assets/img/legacy_svg/qr/ltc.svg diff --git a/assets/img/legacy_svg/qr/xlm.svg b/docs/assets/img/legacy_svg/qr/xlm.svg similarity index 100% rename from assets/img/legacy_svg/qr/xlm.svg rename to docs/assets/img/legacy_svg/qr/xlm.svg diff --git a/assets/img/legacy_svg/qr/xmr.svg b/docs/assets/img/legacy_svg/qr/xmr.svg similarity index 100% rename from assets/img/legacy_svg/qr/xmr.svg rename to docs/assets/img/legacy_svg/qr/xmr.svg diff --git a/assets/img/legacy_svg/qr/zec.svg b/docs/assets/img/legacy_svg/qr/zec.svg similarity index 100% rename from assets/img/legacy_svg/qr/zec.svg rename to docs/assets/img/legacy_svg/qr/zec.svg diff --git a/assets/img/linux-desktop/archlinux.svg b/docs/assets/img/linux-desktop/archlinux.svg similarity index 100% rename from assets/img/linux-desktop/archlinux.svg rename to docs/assets/img/linux-desktop/archlinux.svg diff --git a/assets/img/linux-desktop/fedora-silverblue.svg b/docs/assets/img/linux-desktop/fedora-silverblue.svg similarity index 100% rename from assets/img/linux-desktop/fedora-silverblue.svg rename to docs/assets/img/linux-desktop/fedora-silverblue.svg diff --git a/assets/img/linux-desktop/fedora-workstation.svg b/docs/assets/img/linux-desktop/fedora-workstation.svg similarity index 100% rename from assets/img/linux-desktop/fedora-workstation.svg rename to docs/assets/img/linux-desktop/fedora-workstation.svg diff --git a/assets/img/linux-desktop/nixos.svg b/docs/assets/img/linux-desktop/nixos.svg similarity index 100% rename from assets/img/linux-desktop/nixos.svg rename to docs/assets/img/linux-desktop/nixos.svg diff --git a/assets/img/linux-desktop/opensuse-tumbleweed.svg b/docs/assets/img/linux-desktop/opensuse-tumbleweed.svg similarity index 100% rename from assets/img/linux-desktop/opensuse-tumbleweed.svg rename to docs/assets/img/linux-desktop/opensuse-tumbleweed.svg diff --git a/assets/img/linux-desktop/tails.svg b/docs/assets/img/linux-desktop/tails.svg similarity index 100% rename from assets/img/linux-desktop/tails.svg rename to docs/assets/img/linux-desktop/tails.svg diff --git a/assets/img/linux-desktop/whonix.svg b/docs/assets/img/linux-desktop/whonix.svg similarity index 100% rename from assets/img/linux-desktop/whonix.svg rename to docs/assets/img/linux-desktop/whonix.svg diff --git a/assets/img/messengers/briar.svg b/docs/assets/img/messengers/briar.svg similarity index 100% rename from assets/img/messengers/briar.svg rename to docs/assets/img/messengers/briar.svg diff --git a/assets/img/messengers/element.svg b/docs/assets/img/messengers/element.svg similarity index 100% rename from assets/img/messengers/element.svg rename to docs/assets/img/messengers/element.svg diff --git a/assets/img/messengers/jitsi.svg b/docs/assets/img/messengers/jitsi.svg similarity index 100% rename from assets/img/messengers/jitsi.svg rename to docs/assets/img/messengers/jitsi.svg diff --git a/assets/img/messengers/linphone.svg b/docs/assets/img/messengers/linphone.svg similarity index 100% rename from assets/img/messengers/linphone.svg rename to docs/assets/img/messengers/linphone.svg diff --git a/assets/img/messengers/session.svg b/docs/assets/img/messengers/session.svg similarity index 100% rename from assets/img/messengers/session.svg rename to docs/assets/img/messengers/session.svg diff --git a/assets/img/messengers/signal.svg b/docs/assets/img/messengers/signal.svg similarity index 100% rename from assets/img/messengers/signal.svg rename to docs/assets/img/messengers/signal.svg diff --git a/assets/img/legacy_svg/3rd-party/exifcleaner.svg b/docs/assets/img/metadata-removal/exifcleaner.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/exifcleaner.svg rename to docs/assets/img/metadata-removal/exifcleaner.svg diff --git a/docs/assets/img/metadata-removal/exiftool.png b/docs/assets/img/metadata-removal/exiftool.png new file mode 100644 index 00000000..a4730079 Binary files /dev/null and b/docs/assets/img/metadata-removal/exiftool.png differ diff --git a/docs/assets/img/metadata-removal/imagepipe.svg b/docs/assets/img/metadata-removal/imagepipe.svg new file mode 100644 index 00000000..8c826fe1 --- /dev/null +++ b/docs/assets/img/metadata-removal/imagepipe.svg @@ -0,0 +1,2 @@ + + diff --git a/assets/img/legacy_svg/3rd-party/mat2.svg b/docs/assets/img/metadata-removal/mat2.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/mat2.svg rename to docs/assets/img/metadata-removal/mat2.svg diff --git a/docs/assets/img/metadata-removal/metapho.jpg b/docs/assets/img/metadata-removal/metapho.jpg new file mode 100644 index 00000000..bffc380f Binary files /dev/null and b/docs/assets/img/metadata-removal/metapho.jpg differ diff --git a/docs/assets/img/metadata-removal/scrambled-exif.svg b/docs/assets/img/metadata-removal/scrambled-exif.svg new file mode 100644 index 00000000..a9d07388 --- /dev/null +++ b/docs/assets/img/metadata-removal/scrambled-exif.svg @@ -0,0 +1,2 @@ + + diff --git a/docs/assets/img/multi-factor-authentication/aegis.png b/docs/assets/img/multi-factor-authentication/aegis.png new file mode 100644 index 00000000..ad537aa6 Binary files /dev/null and b/docs/assets/img/multi-factor-authentication/aegis.png differ diff --git a/docs/assets/img/multi-factor-authentication/nitrokey.jpg b/docs/assets/img/multi-factor-authentication/nitrokey.jpg new file mode 100644 index 00000000..dbbd7e99 Binary files /dev/null and b/docs/assets/img/multi-factor-authentication/nitrokey.jpg differ diff --git a/docs/assets/img/multi-factor-authentication/ravio-otp.png b/docs/assets/img/multi-factor-authentication/ravio-otp.png new file mode 100644 index 00000000..3096b774 Binary files /dev/null and b/docs/assets/img/multi-factor-authentication/ravio-otp.png differ diff --git a/docs/assets/img/multi-factor-authentication/yubikey.png b/docs/assets/img/multi-factor-authentication/yubikey.png new file mode 100644 index 00000000..1b6bd6fb Binary files /dev/null and b/docs/assets/img/multi-factor-authentication/yubikey.png differ diff --git a/docs/assets/img/notebooks/etesync-notes.png b/docs/assets/img/notebooks/etesync-notes.png new file mode 100644 index 00000000..a93808a3 Binary files /dev/null and b/docs/assets/img/notebooks/etesync-notes.png differ diff --git a/assets/img/legacy_svg/3rd-party/joplin.svg b/docs/assets/img/notebooks/joplin.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/joplin.svg rename to docs/assets/img/notebooks/joplin.svg diff --git a/docs/assets/img/notebooks/org-mode.svg b/docs/assets/img/notebooks/org-mode.svg new file mode 100644 index 00000000..86e8a504 --- /dev/null +++ b/docs/assets/img/notebooks/org-mode.svg @@ -0,0 +1,2 @@ + + diff --git a/assets/img/legacy_svg/3rd-party/standard_notes.svg b/docs/assets/img/notebooks/standard-notes.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/standard_notes.svg rename to docs/assets/img/notebooks/standard-notes.svg diff --git a/assets/img/legacy_svg/3rd-party/bitwarden.svg b/docs/assets/img/password-management/bitwarden.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/bitwarden.svg rename to docs/assets/img/password-management/bitwarden.svg diff --git a/docs/assets/img/password-management/gopass.svg b/docs/assets/img/password-management/gopass.svg new file mode 100644 index 00000000..5ad99703 --- /dev/null +++ b/docs/assets/img/password-management/gopass.svg @@ -0,0 +1,107 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/assets/img/password-management/keepassdx.svg b/docs/assets/img/password-management/keepassdx.svg new file mode 100644 index 00000000..5e06ca50 --- /dev/null +++ b/docs/assets/img/password-management/keepassdx.svg @@ -0,0 +1,2 @@ + + diff --git a/assets/img/legacy_svg/3rd-party/keepassxc.svg b/docs/assets/img/password-management/keepassxc.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/keepassxc.svg rename to docs/assets/img/password-management/keepassxc.svg diff --git a/docs/assets/img/password-management/pass.svg b/docs/assets/img/password-management/pass.svg new file mode 100644 index 00000000..f2a712c8 --- /dev/null +++ b/docs/assets/img/password-management/pass.svg @@ -0,0 +1,2 @@ + +pass diff --git a/docs/assets/img/password-management/psono.svg b/docs/assets/img/password-management/psono.svg new file mode 100644 index 00000000..9f8829db --- /dev/null +++ b/docs/assets/img/password-management/psono.svg @@ -0,0 +1,2 @@ + + diff --git a/docs/assets/img/password-management/vaultwarden-dark.svg b/docs/assets/img/password-management/vaultwarden-dark.svg new file mode 100644 index 00000000..b7ee48e2 --- /dev/null +++ b/docs/assets/img/password-management/vaultwarden-dark.svg @@ -0,0 +1,2 @@ + + diff --git a/docs/assets/img/password-management/vaultwarden.svg b/docs/assets/img/password-management/vaultwarden.svg new file mode 100644 index 00000000..5c25782f --- /dev/null +++ b/docs/assets/img/password-management/vaultwarden.svg @@ -0,0 +1,2 @@ + + diff --git a/assets/img/people/blacklight447.png b/docs/assets/img/people/blacklight447.png similarity index 100% rename from assets/img/people/blacklight447.png rename to docs/assets/img/people/blacklight447.png diff --git a/assets/img/people/dngray.png b/docs/assets/img/people/dngray.png similarity index 100% rename from assets/img/people/dngray.png rename to docs/assets/img/people/dngray.png diff --git a/assets/img/people/jonah.png b/docs/assets/img/people/jonah.png similarity index 100% rename from assets/img/people/jonah.png rename to docs/assets/img/people/jonah.png diff --git a/docs/assets/img/productivity/cryptpad.svg b/docs/assets/img/productivity/cryptpad.svg new file mode 100644 index 00000000..972b98c5 --- /dev/null +++ b/docs/assets/img/productivity/cryptpad.svg @@ -0,0 +1,2 @@ + + diff --git a/docs/assets/img/productivity/framadate.svg b/docs/assets/img/productivity/framadate.svg new file mode 100644 index 00000000..5af3b641 --- /dev/null +++ b/docs/assets/img/productivity/framadate.svg @@ -0,0 +1,2 @@ + + diff --git a/docs/assets/img/productivity/libreoffice.svg b/docs/assets/img/productivity/libreoffice.svg new file mode 100644 index 00000000..857f8bc0 --- /dev/null +++ b/docs/assets/img/productivity/libreoffice.svg @@ -0,0 +1,2 @@ + + diff --git a/docs/assets/img/productivity/onlyoffice.svg b/docs/assets/img/productivity/onlyoffice.svg new file mode 100644 index 00000000..e0b0dd55 --- /dev/null +++ b/docs/assets/img/productivity/onlyoffice.svg @@ -0,0 +1,2 @@ + + diff --git a/assets/img/legacy_svg/3rd-party/privatebin.svg b/docs/assets/img/productivity/privatebin.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/privatebin.svg rename to docs/assets/img/productivity/privatebin.svg diff --git a/docs/assets/img/productivity/vscodium.svg b/docs/assets/img/productivity/vscodium.svg new file mode 100644 index 00000000..e989052e --- /dev/null +++ b/docs/assets/img/productivity/vscodium.svg @@ -0,0 +1,2 @@ + + diff --git a/docs/assets/img/productivity/writeas-dark.svg b/docs/assets/img/productivity/writeas-dark.svg new file mode 100644 index 00000000..338756a2 --- /dev/null +++ b/docs/assets/img/productivity/writeas-dark.svg @@ -0,0 +1,2 @@ + + diff --git a/docs/assets/img/productivity/writeas.svg b/docs/assets/img/productivity/writeas.svg new file mode 100644 index 00000000..123b9a01 --- /dev/null +++ b/docs/assets/img/productivity/writeas.svg @@ -0,0 +1,2 @@ + + diff --git a/assets/img/qubes/qubes_os.svg b/docs/assets/img/qubes/qubes_os.svg similarity index 100% rename from assets/img/qubes/qubes_os.svg rename to docs/assets/img/qubes/qubes_os.svg diff --git a/assets/img/router/openwrt-dark.svg b/docs/assets/img/router/openwrt-dark.svg similarity index 100% rename from assets/img/router/openwrt-dark.svg rename to docs/assets/img/router/openwrt-dark.svg diff --git a/assets/img/router/openwrt.svg b/docs/assets/img/router/openwrt.svg similarity index 100% rename from assets/img/router/openwrt.svg rename to docs/assets/img/router/openwrt.svg diff --git a/assets/img/router/pfsense-dark.svg b/docs/assets/img/router/pfsense-dark.svg similarity index 100% rename from assets/img/router/pfsense-dark.svg rename to docs/assets/img/router/pfsense-dark.svg diff --git a/assets/img/router/pfsense.svg b/docs/assets/img/router/pfsense.svg similarity index 100% rename from assets/img/router/pfsense.svg rename to docs/assets/img/router/pfsense.svg diff --git a/assets/img/search-engines/duckduckgo.svg b/docs/assets/img/search-engines/duckduckgo.svg similarity index 100% rename from assets/img/search-engines/duckduckgo.svg rename to docs/assets/img/search-engines/duckduckgo.svg diff --git a/assets/img/search-engines/mojeek.svg b/docs/assets/img/search-engines/mojeek.svg similarity index 100% rename from assets/img/search-engines/mojeek.svg rename to docs/assets/img/search-engines/mojeek.svg diff --git a/assets/img/search-engines/searx.svg b/docs/assets/img/search-engines/searx.svg similarity index 100% rename from assets/img/search-engines/searx.svg rename to docs/assets/img/search-engines/searx.svg diff --git a/assets/img/search-engines/startpage.svg b/docs/assets/img/search-engines/startpage.svg similarity index 100% rename from assets/img/search-engines/startpage.svg rename to docs/assets/img/search-engines/startpage.svg diff --git a/assets/img/legacy_svg/3rd-party/freenet.svg b/docs/assets/img/self-contained-networks/freenet.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/freenet.svg rename to docs/assets/img/self-contained-networks/freenet.svg diff --git a/assets/img/legacy_svg/3rd-party/i2p.svg b/docs/assets/img/self-contained-networks/i2p.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/i2p.svg rename to docs/assets/img/self-contained-networks/i2p.svg diff --git a/assets/img/legacy_svg/3rd-party/tor.svg b/docs/assets/img/self-contained-networks/tor.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/tor.svg rename to docs/assets/img/self-contained-networks/tor.svg diff --git a/docs/assets/img/social-media-aggregator/freepost.svg b/docs/assets/img/social-media-aggregator/freepost.svg new file mode 100644 index 00000000..a94f63a8 --- /dev/null +++ b/docs/assets/img/social-media-aggregator/freepost.svg @@ -0,0 +1,2 @@ + + diff --git a/assets/img/legacy_svg/3rd-party/lemmy.svg b/docs/assets/img/social-media-aggregator/lemmy.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/lemmy.svg rename to docs/assets/img/social-media-aggregator/lemmy.svg diff --git a/docs/assets/img/social-media-aggregator/postmill.png b/docs/assets/img/social-media-aggregator/postmill.png new file mode 100644 index 00000000..1ca6ef12 Binary files /dev/null and b/docs/assets/img/social-media-aggregator/postmill.png differ diff --git a/assets/img/legacy_svg/3rd-party/tildes.svg b/docs/assets/img/social-media-aggregator/tildes.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/tildes.svg rename to docs/assets/img/social-media-aggregator/tildes.svg diff --git a/assets/img/legacy_svg/3rd-party/diaspora.svg b/docs/assets/img/social-networks/diaspora.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/diaspora.svg rename to docs/assets/img/social-networks/diaspora.svg diff --git a/assets/img/legacy_svg/3rd-party/friendica.svg b/docs/assets/img/social-networks/friendica.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/friendica.svg rename to docs/assets/img/social-networks/friendica.svg diff --git a/assets/img/legacy_svg/3rd-party/mastodon.svg b/docs/assets/img/social-networks/mastodon.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/mastodon.svg rename to docs/assets/img/social-networks/mastodon.svg diff --git a/docs/assets/img/social-networks/movim.svg b/docs/assets/img/social-networks/movim.svg new file mode 100644 index 00000000..c2812d62 --- /dev/null +++ b/docs/assets/img/social-networks/movim.svg @@ -0,0 +1,2 @@ + + diff --git a/assets/img/legacy_svg/3rd-party/pixelfed.svg b/docs/assets/img/social-networks/pixelfed.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/pixelfed.svg rename to docs/assets/img/social-networks/pixelfed.svg diff --git a/assets/img/legacy_svg/3rd-party/pleroma.svg b/docs/assets/img/social-networks/pleroma.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/pleroma.svg rename to docs/assets/img/social-networks/pleroma.svg diff --git a/assets/img/video-streaming/freetube.svg b/docs/assets/img/video-streaming/freetube.svg similarity index 100% rename from assets/img/video-streaming/freetube.svg rename to docs/assets/img/video-streaming/freetube.svg diff --git a/assets/img/video-streaming/invidious-dark.svg b/docs/assets/img/video-streaming/invidious-dark.svg similarity index 100% rename from assets/img/video-streaming/invidious-dark.svg rename to docs/assets/img/video-streaming/invidious-dark.svg diff --git a/assets/img/video-streaming/invidious.svg b/docs/assets/img/video-streaming/invidious.svg similarity index 100% rename from assets/img/video-streaming/invidious.svg rename to docs/assets/img/video-streaming/invidious.svg diff --git a/assets/img/video-streaming/lbry.svg b/docs/assets/img/video-streaming/lbry.svg similarity index 100% rename from assets/img/video-streaming/lbry.svg rename to docs/assets/img/video-streaming/lbry.svg diff --git a/assets/img/video-streaming/newpipe.svg b/docs/assets/img/video-streaming/newpipe.svg similarity index 100% rename from assets/img/video-streaming/newpipe.svg rename to docs/assets/img/video-streaming/newpipe.svg diff --git a/assets/img/video-streaming/piped.svg b/docs/assets/img/video-streaming/piped.svg similarity index 100% rename from assets/img/video-streaming/piped.svg rename to docs/assets/img/video-streaming/piped.svg diff --git a/assets/img/legacy_svg/3rd-party/ivpn.svg b/docs/assets/img/vpn/ivpn.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/ivpn.svg rename to docs/assets/img/vpn/ivpn.svg diff --git a/assets/img/legacy_svg/3rd-party/mullvad-dark.svg b/docs/assets/img/vpn/mullvad-dark.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/mullvad-dark.svg rename to docs/assets/img/vpn/mullvad-dark.svg diff --git a/assets/img/legacy_svg/3rd-party/mullvad.svg b/docs/assets/img/vpn/mullvad.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/mullvad.svg rename to docs/assets/img/vpn/mullvad.svg diff --git a/assets/img/legacy_svg/3rd-party/protonvpn.svg b/docs/assets/img/vpn/protonvpn.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/protonvpn.svg rename to docs/assets/img/vpn/protonvpn.svg diff --git a/docs/assets/logo.svg b/docs/assets/logo.svg new file mode 100644 index 00000000..cefa7b2d --- /dev/null +++ b/docs/assets/logo.svg @@ -0,0 +1,10 @@ + + + + + + + + + + diff --git a/docs/blog.md b/docs/blog.md new file mode 100644 index 00000000..3ddefe26 --- /dev/null +++ b/docs/blog.md @@ -0,0 +1,18 @@ +--- +title: Blog Index +hide: + - toc +--- + +## 2021 + +- **December 1:** [Firefox Privacy: 2021 Update](blog/2021/12/01/firefox-privacy-2021-update.md) +- **November 1:** [Virtual Insanity](blog/2021/11/01/virtual-insanity.md) +- **September 14:** [Welcome to Privacy Guides](blog/2021/09/14/welcome-to-privacy-guides.md) + +## 2019 + +- **November 9:** [Firefox Privacy](blog/2019/11/09/firefox-privacy.md) +- **October 30:** [Choosing a VPN](blog/2019/10/30/choosing-a-vpn.md) +- **October 5:** [Understanding VPNs](blog/2019/10/05/understanding-vpns.md) +- **August 22:** [Self Hosting a Shadowsocks VPN with Outline](blog/2019/08/22/self-hosting-shadowsocks-vpn-outline.md) diff --git a/collections/_posts/2019-08-22-self-hosting-shadowsocks-vpn-outline.md b/docs/blog/2019/08/22/self-hosting-shadowsocks-vpn-outline.md similarity index 99% rename from collections/_posts/2019-08-22-self-hosting-shadowsocks-vpn-outline.md rename to docs/blog/2019/08/22/self-hosting-shadowsocks-vpn-outline.md index 438a776f..4cc3711e 100644 --- a/collections/_posts/2019-08-22-self-hosting-shadowsocks-vpn-outline.md +++ b/docs/blog/2019/08/22/self-hosting-shadowsocks-vpn-outline.md @@ -1,7 +1,7 @@ --- title: 'Self-hosting a Shadowsocks VPN with Outline' author: Jonah -layout: post +template: overrides/blog.html excerpt: Outline is a suite of open-source software developed for journalists to safely access their network and the internet while traveling in countries where their activities may be monitored or censored... --- diff --git a/collections/_posts/2019-10-05-understanding-vpns.md b/docs/blog/2019/10/05/understanding-vpns.md similarity index 96% rename from collections/_posts/2019-10-05-understanding-vpns.md rename to docs/blog/2019/10/05/understanding-vpns.md index b27c5d6b..1d17e6d6 100644 --- a/collections/_posts/2019-10-05-understanding-vpns.md +++ b/docs/blog/2019/10/05/understanding-vpns.md @@ -1,12 +1,9 @@ --- title: Understanding VPNs author: Jonah -cover: understanding-vpns-cover.jpg -cover_src: 'https://unsplash.com/@freeche' -cover_src_publisher: Kvistholt Photography -canonical: 'https://blog.privacytools.io/understanding-vpns/' -canonical_publisher: the PrivacyTools Blog -layout: post +background: understanding-vpns-cover.jpg +background_src: 'https://unsplash.com/@freeche' +template: overrides/blog.html excerpt: A VPN is a tool that secures your internet connection from attackers on your network... --- diff --git a/collections/_posts/2019-10-30-choosing-a-vpn.md b/docs/blog/2019/10/30/choosing-a-vpn.md similarity index 98% rename from collections/_posts/2019-10-30-choosing-a-vpn.md rename to docs/blog/2019/10/30/choosing-a-vpn.md index 461bccc2..a9c35faa 100644 --- a/collections/_posts/2019-10-30-choosing-a-vpn.md +++ b/docs/blog/2019/10/30/choosing-a-vpn.md @@ -1,8 +1,7 @@ --- title: Choosing a VPN author: Jonah -layout: post -excerpt: Now you know what a VPN is, here's how you choose between them... +template: overrides/blog.html --- So [you know what a VPN is]({% link _posts/2019-10-05-understanding-vpns.md %}), but there are so many options to choose from! Well before we dive into this, let's get one thing off the bat: diff --git a/collections/_posts/2019-11-09-firefox-privacy.md b/docs/blog/2019/11/09/firefox-privacy.md similarity index 98% rename from collections/_posts/2019-11-09-firefox-privacy.md rename to docs/blog/2019/11/09/firefox-privacy.md index 8c3cbf7d..cbfcf0d7 100644 --- a/collections/_posts/2019-11-09-firefox-privacy.md +++ b/docs/blog/2019/11/09/firefox-privacy.md @@ -1,13 +1,9 @@ --- title: 'Firefox Privacy: Tips and Tricks for Better Browsing' author: Jonah -cover: firefox-privacy-cover.jpg -cover_src: 'https://unsplash.com/@vmxhu' -cover_src_publisher: Szabo Viktor -color: "linear-gradient(to bottom, rgba(158, 82, 19, 0.5), rgba(158, 82, 19, 0.9))" -canonical: 'https://blog.privacytools.io/firefox-privacy-an-introduction-to-safe/' -canonical_publisher: the PrivacyTools Blog -layout: post +background: firefox-privacy-cover.jpg +background_src: 'https://unsplash.com/@vmxhu' +template: overrides/blog.html excerpt: Mozilla Firefox is one of the most popular web browsers around, and for good reason. It's fast, secure, open-source, and it's backed by an organization that actually respects your privacy. --- diff --git a/collections/_posts/2021-09-14-welcome-to-privacy-guides.md b/docs/blog/2021/09/14/welcome-to-privacy-guides.md similarity index 99% rename from collections/_posts/2021-09-14-welcome-to-privacy-guides.md rename to docs/blog/2021/09/14/welcome-to-privacy-guides.md index b5f3f2fe..00c5389f 100644 --- a/collections/_posts/2021-09-14-welcome-to-privacy-guides.md +++ b/docs/blog/2021/09/14/welcome-to-privacy-guides.md @@ -4,7 +4,7 @@ author: - Daniel - Freddy - Jonah -layout: post +template: overrides/blog.html excerpt: The team formerly known as PrivacyTools welcomes you to join a new community focused around privacy and security education. --- diff --git a/collections/_posts/2021-11-01-virtual-insanity.md b/docs/blog/2021/11/01/virtual-insanity.md similarity index 95% rename from collections/_posts/2021-11-01-virtual-insanity.md rename to docs/blog/2021/11/01/virtual-insanity.md index 0589cb6c..5dd2e6f0 100644 --- a/collections/_posts/2021-11-01-virtual-insanity.md +++ b/docs/blog/2021/11/01/virtual-insanity.md @@ -1,10 +1,9 @@ --- title: 'Virtual Insanity' author: Freddy -cover: virtual-insanity.jpg -cover_src: 'https://unsplash.com/photos/5psJeebVp9o' -color: "linear-gradient(to bottom, rgba(158, 82, 19, 0.5), rgba(158, 82, 19, 0.9))" -layout: post +background: virtual-insanity.jpg +background_src: 'https://unsplash.com/photos/5psJeebVp9o' +template: overrides/blog.html excerpt: Facebook is dead. Long live Facebook. --- diff --git a/collections/_posts/2021-12-01-firefox-privacy-2021-update.md b/docs/blog/2021/12/01/firefox-privacy-2021-update.md similarity index 98% rename from collections/_posts/2021-12-01-firefox-privacy-2021-update.md rename to docs/blog/2021/12/01/firefox-privacy-2021-update.md index b173a286..46180644 100644 --- a/collections/_posts/2021-12-01-firefox-privacy-2021-update.md +++ b/docs/blog/2021/12/01/firefox-privacy-2021-update.md @@ -1,9 +1,8 @@ --- title: 'Firefox Privacy: 2021 update' author: Daniel Gray -cover: firefox-privacy-2021.png -color: "linear-gradient(to bottom, rgba(158, 82, 19, 0.5), rgba(158, 82, 19, 0.9))" -layout: post +background: firefox-privacy-2021.png +template: overrides/blog.html excerpt: A lot changed between 2019 and now, not least in regards to Firefox. --- diff --git a/docs/browsers.md b/docs/browsers.md new file mode 100644 index 00000000..cf1e7ded --- /dev/null +++ b/docs/browsers.md @@ -0,0 +1,228 @@ +--- +title: Browser Recommendations +icon: octicons/browser-16 +--- +These are our current web browser recommendations and settings. We recommend keeping extensions to a minimum: they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## General Recommendations +### Tor Browser +!!! recommendation + + ![Tor Browser logo](/assets/img/browsers/tor.svg){ align=right } + + **Tor Browser** is the choice if you need anonymity. This browser provides you with access to the Tor Bridges and [Tor Network](https://en.wikipedia.org/wiki/Tor_(network)), along with extensions that can be automatically configured to fit its three security levels - *Standard*, *Safer* and *Safest*. We recommend that you do not change any of Tor Browser's default configurations outside of the standard security levels. + + !!! anonyimity "This product provides anonyimity" + + !!! warning + You should **never** install any additional extensions on Tor Browser, including the ones we suggest for Firefox. Browser extensions make you stand out from other Tor users and your browser easier to [fingerprint](https://support.torproject.org/glossary/browser-fingerprinting). + + [Visit torproject.org](https://www.torproject.org){ .md-button .md-button--primary } [:pg-tor:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .md-button } [Privacy Policy](https://support.torproject.org/tbb/tbb-3/){ .md-button } + + **Downloads** + - [:fontawesome-brands-windows: Windows](https://www.torproject.org/download/) + - [:fontawesome-brands-apple: macOS](https://www.torproject.org/download/) + - [:fontawesome-brands-linux: Linux](https://www.torproject.org/download/) + - [:fontawesome-brands-linux: Linux (Flatpak)](https://flathub.org/apps/details/com.github.micahflee.torbrowser-launcher) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:pg-f-droid: F-Droid](https://guardianproject.info/fdroid/) + - [:fontawesome-brands-git: Source](https://trac.torproject.org/projects/tor) + +## Desktop Browser Recommendations +### Firefox +!!! recommendation + + ![Firefox logo](/assets/img/browsers/firefox.svg){ align=right } + + **Firefox** provides strong privacy settings such as [Enhanced Tracking Protection](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop), which can help block various [types of tracking](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop#w_what-enhanced-tracking-protection-blocks). + + These options can be found in the *Privacy & Security* settings page ( ≡ → Settings → Privacy & Security). + + #### **Enhanced Tracking Protection (ETP)** +
    +
  • Select: "Strict"
    • +
+ + #### **Sanitize on Close** +
    +
  • Select: "Delete cookies and site data when Firefox is closed"
    • +
+ You can still stay logged into websites by allowing exceptions. + + #### **Disable Search Suggestions** + *These features may not be available depending on your region.* +
    +
  • Toggle off: "Suggestions from the web"
    • +
  • Toggle off: "Suggestions from sponsors"
    • +
  • Toggle off: "Improve the Firefox Suggest experience"
    • +
+ + #### **Disable Telemetry** +
    +
  • Uncheck: "Allow Firefox to send technical and interaction data to Mozilla"
    • +
  • Uncheck: "Allow Firefox to install and run studies"
    • +
  • Uncheck: "Allow Firefox to send backlogged crash reports on your behalf"
    • +
+ + #### **HTTPS-Only Mode** +
    +
  • Select: "Enable HTTPS-Only Mode in all windows".
    • +
+ + #### Sync + The [Firefox sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) service is end-to-end encrypted. + + #### Extensions + We generally do not recommend installing any extensions as they increase your [attack surface](https://en.wikipedia.org/wiki/Attack_surface); however, if you want content blocking, [uBlock Origin](/browsers/#additional-resources) might be useful to you. The extension is also a 🏆️ [Recommended Extension](https://support.mozilla.org/kb/add-on-badges#w_recommended-extensions) by Mozilla. + + #### Arkenfox (advanced) + The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of carefully considered options for Firefox. These options are quite strict but a few are subjective and may cause some websites to not work properly. You can easily change these settings to suit your needs. We **strongly recommend** reading through their [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox also enables [container](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users) support. + !!! warning + Firefox includes a unique [download token](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) in downloads from Mozilla's website and uses telemetry in Firefox to send the token. The token is **not** included in releases from the [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/). + + [Visit firefox.com](https://firefox.com){ .md-button .md-button--primary } [Privacy Policy](https://www.mozilla.org/privacy/firefox){ .md-button } + + **Downloads** + - [:fontawesome-brands-windows: Windows](https://www.mozilla.org/firefox/windows) + - [:fontawesome-brands-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:fontawesome-brands-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:fontawesome-brands-linux: Linux (Flatpak)](https://flathub.org/apps/details/org.mozilla.firefox) + - [:fontawesome-brands-git: Source](https://hg.mozilla.org/mozilla-central) + +## Mobile Browser Recommendations +On Android, Mozilla's engine [GeckoView](https://mozilla.github.io/geckoview/) has yet to support [site isolation](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) or enable [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196). Firefox on Android also doesn't yet have [HTTPS-Only mode](https://github.com/mozilla-mobile/fenix/issues/16952#issuecomment-907960218) built-in. We do not recommend Firefox or any Gecko based browsers at this time. + +On iOS all web browsers use [WKWebView](https://developer.apple.com/documentation/webkit/wkwebview), so all browsers on the App Store are essentially Safari under the hood. + +### Bromite +!!! recommendation + + ![Bromite logo](/assets/img/browsers/bromite.svg){ align=right } + + **Bromite** is a [Chromium](https://en.wikipedia.org/wiki/Chromium_(web_browser))-based browser with privacy and security enhancements, built-in ad blocking, and some fingerprinting randomization. + + These options can be found in *Privacy and Security* ( ⁝ → ⚙️ Settings → Privacy and Security). + + #### **HTTPS-Only Mode** +
    +
  • Select: Always use secure connections.
    • +
+ + #### **Always-on Incognito Mode** +
    +
  • Select: "Open links in incognito tabs always"
    • +
  • Select: "Close all open tabs on exit"
    • +
  • Select: "Open external links in incognito"
    • +
+ + [Visit bromite.org](https://www.bromite.org){ .md-button .md-button--primary } [Privacy Policy](https://www.bromite.org/privacy){ .md-button } + + **Downloads** + - [:fontawesome-brands-android: Android](https://www.bromite.org/fdroid) + - [:fontawesome-brands-github: Source](https://github.com/bromite/bromite) + +### Safari +!!! recommendation + + ![Safari logo](/assets/img/browsers/safari.svg){ align=right } + + **Safari** is the default browser in iOS. It includes [privacy features](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) such as Intelligent Tracking Protection, Privacy Report, isolated Private Browsing tabs, iCloud Private Relay, and automatic HTTPS upgrades. + + These options can be found in *Privacy and Security* (⚙️ Settings → Safari → Privacy and Security). + + #### **Cross-Site Tracking Prevention** + Toggling this setting enables WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp). +
    +
  • Toggle On: "Prevent Cross-Site Tracking".
    • +
+ + #### **Privacy Report** + Privacy Report provides a snapshot of cross-site trackers currently prevented from profiling you on the website you're visiting. It can also display a weekly report to show which trackers have been blocked over time. + + Privacy Report is accessible through the "**Aa**" icon in the URL bar. + + #### **Privacy Preserving Ad Measurement** + This is WebKit's own [implementation](https://webkit.org/blog/8943/privacy-preserving-ad-click-attribution-for-the-web/) of privacy preserving ad click attribution. If you do not wish to participate, you can disable this feature. +
    +
  • Toggle Off: "Privacy Preserving Ad Measurement".
    • +
+ + #### **Apple Pay** + If you do not use Apple Pay, you can toggle off the ability for websites to check for it. +
    +
  • Toggle Off: "Check for Apple Pay".
    • +
+ + #### **Always-on Private Browsing** + Open Safari and press the tabs icon in the bottom right corner. Open Tab Groups, located in the bottom middle. +
    +
  • Select: "Private".
    • +
+ + #### iCloud Sync + While synchronization of Safari History, Tab Groups, and iCloud Tabs is end-to-end encrypted, bookmarks are [not](https://support.apple.com/en-us/HT202303); they are only encrypted in transit and stored in an encrypted format on Apple's servers. Apple may be able to decrypt and access them. + + If you use iCloud, we also recommend checking to ensure Safari's default download location is set to locally on your device. This option can be found in *General* (⚙️ Settings → Safari → General → Downloads). + + #### Extensions + We generally do not recommend installing [any extensions](https://www.sentinelone.com/blog/inside-safari-extensions-malware-golden-key-user-data/) as they increase your browser's [attack surface](https://en.wikipedia.org/wiki/Attack_surface); however, if you want content blocking, [AdGuard for Safari](/browsers/#additional-resources) might be useful to you. + + [Visit apple.com](https://www.apple.com/safari/){ .md-button .md-button--primary } [Privacy Policy](https://www.apple.com/legal/privacy/data/en/safari/){ .md-button } + + **Downloads** + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/safari/id1146562112) + +## Additional Resources +### uBlock Origin + +!!! recommendation + + ![uBlock Origin logo](/assets/img/browsers/ublock_origin.svg){ align=right } + + **uBlock Origin** is a popular content blocker that could help you block ads, trackers, and fingerprinting scripts. + + We suggest enabling all of the [filter lists](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) under the "Ads," "Privacy," and "Malware domains". The "Annoyances" and "Multipurpose" lists can also be enabled, but they may break some social media functions. The *AdGuard URL Tracking Protection* filter list makes extensions like CleanURLs and NeatURLs redundant. + + We also suggest adding the [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) list and any of the regional lists that might apply to your browsing habits. To add this list, first access settings by clicking on the uBO icon, then the settings icon (⚙️). Go to the bottom of the Filter lists pane and place a checkmark next to Import under the Custom section. Paste the URL of the filter list above into the text area that appears below and click "Apply changes". + + Additional filter lists do slow things down and may increase your [attack surface](https://en.wikipedia.org/wiki/Attack_surface), so only apply what you need. + + uBlock Origin also has different [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode). The easy mode [might not](https://www.ranum.com/security/computer_security/editorials/dumb/) necessarily keep you safe from every tracker out there, whereas the more advanced modes let you control exactly what needs to run. + + [Visit github.com](https://github.com/gorhill/uBlock){ .md-button .md-button--primary } + + **Downloads** + - [:fontawesome-brands-firefox: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin) + - [:fontawesome-brands-chrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) + - [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + - [:fontawesome-brands-opera: Opera](https://addons.opera.com/extensions/details/ublock) + - [:fontawesome-brands-github: Source](https://github.com/gorhill/uBlock) + +### AdGuard for Safari +!!! recommendation + + ![AdGuard logo](/assets/img/browsers/adguard.svg){ align=right } + + **AdGuard for Safari** is a free and open-source content-blocking extension for Safari that uses the native [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). We suggest enabling the filters labled *#recommended* under the "Ad Blocking" and "Privacy" [content blockers](https://kb.adguard.com/en/safari/overview#content-blockers). The *#recommended* filters can also be enabled for the "Social Widgets" and "Annoyances" content blockers, but they may break some social media functions. + + Additional filter lists do slow things down and may increase your [attack surface](https://en.wikipedia.org/wiki/Attack_surface), so only apply what you need. + + There is also [AdGuard for iOS](https://adguard.com/en/adguard-ios/overview.html) which is able to perform system-wide content blocking by means of DNS filtering. + + [Visit adguard.com](https://adguard.com/en/adguard-safari/overview.html){ .md-button .md-button--primary } [Privacy Policy](https://adguard.com/en/privacy/safari.html){ .md-button } + + **Downloads** + - [:fontawesome-brands-safari: Safari](https://apps.apple.com/app/adguard-for-safari/id1440147259) + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/app/apple-store/id1047223162) + - [:fontawesome-brands-git: Source](https://github.com/AdguardTeam/AdGuardForSafari) + +### Terms of Service; Didn't Read +!!! recommendation + + ![Terms of Service; Didn't Read logo](/assets/img/browsers/terms_of_service_didnt_read.svg){ align=right } + + **Terms of Service; Didn't Read** grades websites based on their terms of service agreements and privacy policies. It also gives short summaries of those agreements. The analyses and ratings are published transparently by a community of reviewers. + + We do not recommend installing ToS;DR as a browser extension. The same information is provided on their website. + + [Visit tosdr.org](https://tosdr.org){ .md-button .md-button--primary } [Privacy Policy](https://addons.mozilla.org/firefox/addon/terms-of-service-didnt-read/privacy){ .md-button } diff --git a/docs/calendar-contacts.md b/docs/calendar-contacts.md new file mode 100644 index 00000000..8d340397 --- /dev/null +++ b/docs/calendar-contacts.md @@ -0,0 +1,94 @@ +--- +title: Calendar and Contact Sync Tools +icon: material/calendar +--- +Calendaring and contacts are some of the most sensitive data posess. Use only products that use end-to-end encryption (E2EE) at rest. This prevents a provider from reading your data. + +## Software as a service (SaaS) only +These products are included with an subscription to the respective [email providers](/providers/email). + +### Tutanota +!!! recommendation + + ![Tutanota logo](/assets/img/calendar-contacts/tutanota.svg#only-light){ align=right } + ![Tutanota logo](/assets/img/calendar-contacts/tutanota-dark.svg#only-dark){ align=right } + + **Tutanota** has an [encrypted calendar](https://tutanota.com/blog/posts/free-encrypted-calendar/) in their desktop and mobile clients. + + [Visit tutanota.com](https://tutanota.com/calendar){ .md-button .md-button--primary } [Privacy Policy](https://tutanota.com/privacy){ .md-button } + + **Downloads** + - [:fontawesome-brands-windows: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:fontawesome-brands-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:fontawesome-brands-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:fontawesome-brands-linux: Linux (Flatpak)](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:pg-f-droid: F-Droid](https://f-droid.org/en/packages/de.tutao.tutanota) + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:fontawesome-brands-github: Source](https://github.com/tutao/tutanota) + +### Proton Calendar +!!! recommendation + + ![Proton Calendar logo](/assets/img/calendar-contacts/proton-calendar.jpg){ align=right } + + **Proton Calendar** is an calendar app that is available to ProtonMail users. All data stored within it is end-to-end encrypted when stored on ProtonMail's servers. + + [Visit calendar.protonmail.com](https://calendar.protonmail.com){ .md-button .md-button--primary } [Privacy Policy](https://protonmail.com/privacy-policy){ .md-button } + + **Downloads** + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:fontawesome-brands-github: Source](https://github.com/ProtonMail/WebClients) + +## Self-hostable +Some of these options are self-hostable, or able to be hosted by third party providers for a fee: + +### EteSync +!!! recommendation + + ![EteSync logo](/assets/img/calendar-contacts/etesync.svg){ align=right } + + **EteSync** is a secure, end-to-end encrypted, and privacy-respecting cloud backup and synchronization software for your personal information (e.g. contacts and calendars). There are native clients for Android, iOS, and the web, and an adapter layer for most desktop clients. + + EteSync also offers optional software as a service for [$24 per year](https://dashboard.etebase.com/user/partner/pricing/) to use, or you can host the server yourself for free. + + [Visit etesync.com](https://www.etesync.com){ .md-button .md-button--primary } [Privacy Policy](https://www.etesync.com/tos/#privacy){ .md-button } + + **Downloads** + - [:fontawesome-solid-earth-americas: Client Instructions](https://github.com/etesync/etesync-dav/blob/master/README.md#specific-client-notes-and-instructions) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.etesync.syncadapter) + - [:pg-f-droid: F-Droid](https://f-droid.org/app/com.etesync.syncadapter) + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/apple-store/id1489574285) + - [:fontawesome-brands-github: Source](https://github.com/etesync) + +### Nextcloud +!!! recommendation + + ![Nextcloud logo](/assets/img/calendar-contacts/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of client-server software for creating and using file hosting services. This includes calendar sync via CalDAV and contacts sync via CardDAV. Nextcloud is free and open-source, thereby allowing anyone to install and operate it without charge on a private server. + + You can self host Nextcloud or pay for service from a [provider](https://nextcloud.com/signup/). + + [Visit ](){ .md-button .md-button--primary } [Privacy Policy](){ .md-button } + [:pg-tor:](){ .md-button } + + **Downloads** + - [:fontawesome-brands-windows: Windows](https://nextcloud.com/install/#install-clients) + - [:fontawesome-brands-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:fontawesome-brands-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:fontawesome-brands-linux: Linux (Flatpak)](https://flathub.org/apps/details/com.nextcloud.desktopclient.nextcloud) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:pg-f-droid: F-Droid](https://f-droid.org/packages/com.nextcloud.client) + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/nextcloud/id1125420102) + - [:fontawesome-brands-github: Source](https://github.com/nextcloud) + +### DecSync +!!! recommendation + + **DecSync** can be used to synchronize RSS, contacts, calendars and tasks without a server by using file synchronization software such as [Syncthing](/software/file-sharing/#sync). + + [Visit github.com](https://github.com/39aldo39/DecSync){ .md-button .md-button--primary } + + **Downloads** + - [:fontawesome-brands-github: Source](https://github.com/39aldo39/DecSync) diff --git a/docs/cloud.md b/docs/cloud.md new file mode 100644 index 00000000..4f7f40cf --- /dev/null +++ b/docs/cloud.md @@ -0,0 +1,80 @@ +--- +title: Cloud Storage +icon: material/file-cloud +--- +If you are currently using a Cloud Storage Service like Dropbox, Google Drive, Microsoft OneDrive or Apple iCloud, you are putting complete trust in your service provider to not look at your files. + +Consider reducing the need to trust your provider, by using an alternative below that supports [end-to-end encryption (E2EE)](https://wikipedia.org/wiki/End-to-end_encryption). + +### Nextcloud +!!! recommendation + + ![Nextcloud logo](/assets/img/cloud/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. It also comes with experimental end-to-end encryption (E2EE). + + We recommend checking if your Nextcloud provider supports E2EE, otherwise you have to trust the provider to not look at your files. + + When self hosting Nextcloud, you should also remember to enable E2EE to protect against your hosting provider from snooping on your data. + + [Visit nextcloud.com](https://nextcloud.com){ .md-button .md-button--primary } [Privacy Policy](https://nextcloud.com/privacy){ .md-button } + + **Downloads** + - [:fontawesome-brands-windows: Windows](https://nextcloud.com/install/#install-clients) + - [:fontawesome-brands-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:fontawesome-brands-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:fontawesome-brands-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + - [:pg-openbsd: OpenBSD](https://openports.se/www/nextcloud) + - [:pg-netbsd: NetBSD](https://pkgsrc.se/www/php-nextcloud) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:pg-f-droid: F-Droid](https://f-droid.org/packages/com.nextcloud.client) + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/app/id1125420102) + - [:fontawesome-brands-github: Source](https://github.com/nextcloud) + +### Proton Drive +!!! recommendation + + ![Proton Drive logo](/assets/img/cloud/protondrive.svg){ align=right } + + **Proton Drive** is an end-to-end encrypted (E2EE) general file storage service by the popular encrypted email provider [ProtonMail](https://protonmail.com). + + Proton Drive is currently in beta and only is only available through a web client. + + When using a web client, you are placing trust in the server to send you proper JavaScript code to derive the decryption key and authentication token locally in your browser. A compromised server can send you malicious JavaScript code to steal your master password and decrypt your data. If this does not fit your [threat model](/threat-modeling/), consider using an alternative. + + [Visit drive.protonmail.com](https://drive.protonmail.com){ .md-button .md-button--primary } [Privacy Policy](https://protonmail.com/privacy-policy){ .md-button } + + **Downloads** + - [:fontawesome-brands-github: Source](https://github.com/ProtonMail/WebClients) + +### Cryptee +!!! recommendation + + ![Cryptee logo](./assets/img/cloud/cryptee.svg#only-light){ align=right } + ![Cryptee logo](./assets/img/cloud/cryptee-dark.svg#only-dark){ align=right } + + **Cryptee** is an encrypted, secure photo storage service, and an encrypted documents editor to write personal docs, notes, journals, store files & more. + + [Visit crypt.ee](https://crypt.ee){ .md-button .md-button--primary } [Privacy Policy](https://crypt.ee/privacy){ .md-button } + + **Downloads** + - [:fontawesome-brands-github: Source](https://github.com/cryptee/web-client) + +### Tahoe-LAFS (Advanced) +!!! recommendation + + ![Tahoe-LAFS logo](./assets/img/cloud/tahoe-lafs.svg#only-light){ align=right } + ![Tahoe-LAFS logo](./assets/img/cloud/tahoe-lafs-dark.svg#only-dark){ align=right } + + **Tahoe-LAFS** is a free and open decentralized cloud storage system. It distributes your data across multiple servers. Even if some of the servers fail or are taken over by an attacker, the entire file store continues to function correctly, preserving your privacy and security. The servers used as storage pools do not have access to your data. + + Due to the complexity of the system and the amount of nodes needed to set it up, Tahoe-LAFS is only recommended for seasoned system administrators. + + [Visit tahoe-lafs.org](https://www.tahoe-lafs.org){ .md-button .md-button--primary } + + **Downloads** + - [:fontawesome-brands-windows: Windows](https://github.com/tahoe-lafs/tahoe-lafs#via-pip) + - [:fontawesome-brands-apple: macOS](https://github.com/tahoe-lafs/tahoe-lafs#via-pip) + - [:fontawesome-brands-linux: Linux](https://github.com/tahoe-lafs/tahoe-lafs#using-os-packages) + - [:pg-netbsd: NetBSD](https://pkgsrc.se/filesystems/tahoe-lafs) + - [:fontawesome-brands-git: Source](https://www.tahoe-lafs.org/trac/tahoe-lafs/browser) diff --git a/collections/_evergreen/dns.md b/docs/dns.md similarity index 67% rename from collections/_evergreen/dns.md rename to docs/dns.md index 88a4abb6..df570b29 100644 --- a/collections/_evergreen/dns.md +++ b/docs/dns.md @@ -1,8 +1,8 @@ --- -layout: page title: "DNS Resolvers" -description: "The [Domain Name System (DNS)](https://en.wikipedia.org/wiki/Domain_Name_System) is the 'phonebook of the Internet'. DNS translates domain names to [IP](https://en.wikipedia.org/wiki/Internet_Protocol) addresses so browsers and other services can load Internet resources, through a decentralized network of servers." +icon: material/dns --- +The [Domain Name System (DNS)](https://en.wikipedia.org/wiki/Domain_Name_System) is the 'phonebook of the Internet'. DNS translates domain names to [IP](https://en.wikipedia.org/wiki/Internet_Protocol) addresses so browsers and other services can load Internet resources, through a decentralized network of servers. ## What is DNS? When you visit a website, a numerical address is returned. For example, when you visit `privacyguides.org`, the address `192.98.54.105` is returned. @@ -11,32 +11,51 @@ DNS has existed since the [early days](https://en.wikipedia.org/wiki/Domain_Name Unencrypted DNS requests are able to be easily **surveilled** and **modified** in transit. In some parts of the world ISPs are ordered to do primitive [DNS filtering](https://en.wikipedia.org/wiki/DNS_blocking). When a user requests the IP of a domain that is blocked, the server may not respond or may respond with a different IP address. As the DNS protocol is not encrypted, the ISP (or any network operator) can use [deep packet inspection (DPI)](https://en.wikipedia.org/wiki/Deep_packet_inspection) to monitor requests. ISPs can also block requests based on common characteristics, regardless of which DNS server is used. Unencrypted DNS always uses [port](https://en.wikipedia.org/wiki/Port_(computer_networking)) 53 and always uses the [User Datagram Protocol (UDP)](https://en.wikipedia.org/wiki/User_Datagram_Protocol). -Below we discuss what an outside observer may see using regular unencrypted DNS, and [encrypted DNS](/dns/#what-is-encrypted-dns). +Below we discuss and provide a tutorial to prove what an outside observer may see using regular unencrypted DNS, and [encrypted DNS](/dns/#what-is-encrypted-dns). ### Unencrypted DNS 1. Using [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) (part of the [Wireshark](https://en.wikipedia.org/wiki/Wireshark) project) we can monitor and record internet packet flow. This command records packets that meet the rules specified: - 
tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8
+ ``` + tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8 + ``` -2. We can then use [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) to send the DNS lookup to both servers. Software such as web browsers do these lookups automatically unless they are configured to use [encrypted DNS](/dns/#what-is-encrypted-dns). - 
-   dig +noall +answer privacyguides.org @1.1.1.1
-   dig +noall +answer privacyguides.org @8.8.8.8
-
+2. We can then use [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) (Linux, MacOS etc) or [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) on Windows to send the DNS lookup to both servers. Software such as web browsers do these lookups automatically unless they are configured to use [encrypted DNS](/dns/#what-is-encrypted-dns). - or [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) on Windows: - 
-   nslookup privacyguides.org 1.1.1.1
-   nslookup privacyguides.org 8.8.8.8
-
+ === "Linux, MacOS" + + ``` + dig +noall +answer privacyguides.org @1.1.1.1 + dig +noall +answer privacyguides.org @8.8.8.8 + ``` + === "Windows" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` 3. Next we want to [analyse](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) the results: - 
wireshark -r /tmp/dns.pcap
- or: - 
tshark -r /tmp/dns.pcap
+ + === "Wireshark" + + ``` + wireshark -r /tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` If you ran the Wireguard command above the top pane shows the "[frames](https://en.wikipedia.org/wiki/Ethernet_frame)", and the bottom pane shows all the data about the selected frame. Enterprise filtering and monitoring solutions (such as those purchased by governments) can do the process automatically, without human interaction and can aggregate those frames to produce statistical data useful to the network observer. -{% include table-unencrypted-dns.html %} +| No. | Time | Source | Destination | Protocol | Length | Info | +|-----|----------|-----------|-------------|----------|--------|------------------------------------------------------------------------| +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | DNS | 104 | Standard query 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | DNS | 108 | Standard query response 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | DNS | 104 | Standard query 0xf1a9 A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | DNS | 108 | Standard query response 0xf1a9 A privacyguides.org A 198.98.54.105 OPT | An observer could modify any of these packets. @@ -58,29 +77,40 @@ Native implementations showed up in [iOS 14](https://en.wikipedia.org/wiki/IOS_1 In this example we will record what happens when we make a DoH request: 1. Firstly start `tshark`: - 
+   ```
    tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1"
-
+ ``` 2. Secondly make a request with `curl`: - 
+   ```
    curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org
-
+ ``` 3. After making the request, we can stop the packet capture with CTRL + C. 4. Analyse the results in Wireshark: - 
wireshark -r /tmp/dns_doh.pcap
+ ``` + wireshark -r /tmp/dns_doh.pcap + ``` We can see the [connection establishment](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) and [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) that occurs with any encrypted connection. When looking at the "application data" packets that follow, none of them contain the domain we requested or the IP address returned. ## Why **shouldn't** I use encrypted DNS? In locations where there is internet filtering (or censorship), visiting forbidden resources may have its own consequences which you should consider in your [threat model](/threat-modeling/). We do **not** suggest the use of encrypted DNS for this purpose. Use [Tor](https://torproject.org), or a [VPN](/providers/vpn/) instead. If you're using a VPN, you should use your VPN's DNS servers. When using a VPN you are already trusting them with all your network activity. We made this flow chart to describe when you *should* use "encrypted DNS": - - - DNS flowchart - +``` mermaid +graph TB + Start[Start] --> anonymous{Trying to be anonymous?} + anonymous--> | Yes | tor(Use Tor) + anonymous --> | No | censorship{Avoiding censorship?} + censorship --> | Yes | vpnOrTor(Use VPN or Tor) + censorship --> | No | privacy{Want privacy from ISP?} + privacy --> | No | obnoxious{ISP makes obnoxious redirects?} + obnoxious --> | Yes | encryptedDNS(Use encrypted DNS with 3rd party) + obnoxious --> | No | ispDNS{Does ISP support encrypted DNS?} + ispDNS --> | Yes | useISP(Use encrypted DNS with ISP) + ispDNS --> | No | nothing(Do nothing) +``` When we do a DNS lookup, it's generally because we want to access a resource. Below we will discuss some of the methods that may disclose your browsing activities even when using encrypted DNS: @@ -93,31 +123,33 @@ This method is only useful when the IP address belongs to a server that only hos Server Name Indication, is typically used when a IP address hosts many websites. This could be a service like Cloudflare, or some other [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack) protection. 1. Start capturing again with `tshark`. We've added a filter with our IP address so you don't capture many packets: - 
+   ```
    tshark -w /tmp/pg.pcap port 443 and host 198.98.54.105
-
+ ``` 2. Then we visit [https://privacyguides.org](https://privacyguides.org). 3. After visiting the website, we what to stop the packet capture with CTRL + C. 4. Next we want to analyze the results: - 
wireshark -r /tmp/pg.pcap
+ ``` + wireshark -r /tmp/pg.pcap + ``` We will see the [connection establishment](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment), followed by the [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) for the Privacy Guides website. Around frame 5. you'll see a "Client Hello". 5. Expand the triangle ▸ next to each field: - 
+   ```
    ▸ Transport Layer Security
      ▸ TLSv1.3 Record Layer: Handshake Protocol: Client Hello
        ▸ Handshake Protocol: Client Hello
          ▸ Extension: server_name (len=22)
            ▸ Server Name Indication extension
-
+ ``` 6. We can see the [Server Name Indication (SNI)](https://en.wikipedia.org/wiki/Server_Name_Indication) value which discloses the website we are visiting. The `tshark` command can give you the value directly for all packets containing a SNI value: - 
-    tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name
-
+ ``` + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` This means even if we are using "Encrypted DNS" servers, the domain will likely be disclosed through SNI. The [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) protocol brings with it [Encrypted Client Hello](https://blog.cloudflare.com/encrypted-client-hello/) which prevents this kind of leak. @@ -131,59 +163,61 @@ The OCSP request contains the certificate "[serial number](https://en.wikipedia. We can simulate what a browser would do using the [`openssl`](https://en.wikipedia.org/wiki/OpenSSL) command. 1. Get the server certificate and use [`sed`](https://en.wikipedia.org/wiki/Sed) to keep just the important part and write it out to a file: - 
+   ```
    openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 |
        sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert
-
+ ``` 2. Get the intermediate certificate. [Certificate Authorities (CA)](https://en.wikipedia.org/wiki/Certificate_authority) normally don't sign a certificate directly; they use what is known as an "intermediate" certificate. - 
+   ```
    openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 |
        sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert
-
+ ``` 3. The first certificate in `pg_and_intermediate.cert`, is actually the server certificate from step 1. We can use `sed` again to delete until the first instance of END: - 
+   ```
    sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \
        /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert
-
+ ``` 4. Get the OCSP responder for the server certificate: - 
openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert
- + ``` + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` If we want to see all the details of the certificate we can use: - 
openssl x509 -text -noout -in /tmp/pg_server.cert
+ ``` + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` Our certificate shows the Lets Encrypt certificate responder. 5. Start the packet capture: - 
+   ```
    tshark -w /tmp/pg_ocsp.pcap -f "tcp port http"
-
+ ``` 6. Make the OCSP request: - 
+   ```
    openssl ocsp -issuer /tmp/intermediate_chain.cert \
                 -cert /tmp/pg_server.cert \
                 -text \
                 -url http://r3.o.lencr.org
-
+ ``` -6. Open the capture: - 
+7. Open the capture:
+   ```
    wireshark -r /tmp/pg_ocsp.pcap
-
- + ``` There will be two packets with the "OCSP" protocol; a "Request" and a "Response". For the "Request" we can see the "serial number" by expanding the triangle ▸ next to each field: - 
+   ```
    ▸ Online Certificate Status Protocol
      ▸ tbsRequest
        ▸ requestList: 1 item
          ▸ Request
            ▸ reqCert
              serialNumber
-
+ ``` For the "Response" we can also see the "serial number": - 
+   ```
    ▸ Online Certificate Status Protocol
      ▸ responseBytes
        ▸ BasicOCSPResponse
@@ -192,12 +226,12 @@ We can simulate what a browser would do using the [`openssl`](https://en.wikiped
              ▸ SingleResponse
                ▸ certID
                  serialNumber
-
+ ``` 7. Or use `tshark` to filter the packets for the Serial Number: - 
+   ```
    tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber
-
+ ``` If the network observer has the public certificate, which is publicly available, they can match the serial number with that certificate and therefore determine the site you're visiting from that. The process can be automated and can associate IP addresses with serial numbers. It is also possible to check [Certificate Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency) logs for the serial number. @@ -206,12 +240,26 @@ You should only use DNS if your [threat model](/threat-modeling/) doesn't requir Encrypted DNS can also help if your ISP obnoxiously redirects you to other websites. These are our recommendations for servers: -{% include recommendation-table.html data='dns' %} +| DNS Provider | Privacy Policy | Type | Protocols | Logging | ECS | Filtering | +| ------------ | -------------- | ---- | --------- | ------- | --- | --------- | +| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Commercial | Cleartext
DoH
DoT
DNSCrypt | Some[^1] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS) +| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://www.cloudflare.com/privacypolicy) | Commercial | Cleartext
DoH
DoT | Some[^2] | No | Based on server choice.| +| [**ControlID**](https://controld.com) | [:octicons-link-external-24:](https://controld.com/privacy) | Commercial | Cleartext
DoH
DoT | Optional[^3] | No | Based on server choice. | +| [**MullvadDNS**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/privacy-policy/) [^4] | Commercial | DoH
DoT | No | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) +| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Commercial | Cleartext
DoH
DoT
DNSCrypt | Optional[^5] | No | Based on server choice. | +| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/service/privacy) | Non-Profit | Cleartext
DoH
DoT
DNSCrypt | No | Optional | Based on server choice, Malware blocking by default. | + +[^1]: We store aggregated performance metrics of our DNS server, namely the number of complete requests to a particular server, the number of blocked requests, the speed of processing requests. We keep and store the database of domains requested in the last 24 hours. We need this information to identify and block new trackers and threats. We also log how many times this or that tracker has been blocked. We need this information to remove outdated rules from our filters. +[^2]: Cloudflare collects and stores only the limited DNS query data that is sent to the 1.1.1.1 resolver. The 1.1.1.1 resolver service does not log personal data, and the bulk of the limited non-personally identifiable query data is only stored for 25 hours. +[^3]: Neither free nor premium service have logging enabled by default. Premium users can enable logging/analytics at will. +[^4]: Our public DNS service offers DNS over HTTPS (DoH) and DNS over TLS (DoT), with QNAME minimization and basic ad blocking. It has been audited by the security experts at Assured. You can use this privacy-enhancing service even if you don't use Mullvad. +[^5]: NextDNS can provide insights and logging features on an opt-in basis. Users can choose retention times and log storage locations for any logs they choose to keep. The criteria for servers for this table are: - * Must support [DNSSEC](/dns/#what-is-dnssec-and-when-is-it-used) - * Must have [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) support - * [QNAME Minimization](/dns/#what-is-qname-minimization) + +- Must support [DNSSEC](/dns/#what-is-dnssec-and-when-is-it-used) +- Must have [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) support +- [QNAME Minimization](/dns/#what-is-qname-minimization) ## What is DNSSEC and when is it used? [Domain Name System Security Extensions (DNSSEC)](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) is used to provide authenticity to the records being fetched from upstream DNS servers. It doesn't provide confidentiality, for that we use one of the [encrypted DNS](/dns#what-is-encrypted-dns) protocols discussed above. @@ -253,14 +301,47 @@ Select *Settings* → *Network & Internet* → *Ethernet* or *WiFi*, &rarr ### Linux `systemd-resolved` doesn't [yet support](https://github.com/systemd/systemd/issues/8639), which many Linux distributions use to do their DNS lookups. This means you need to install a proxy like [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) and [configure it](https://wiki.archlinux.org/title/Dnscrypt-proxy) to take all the DNS queries from your system resolver and forward them over HTTPS. -### Encrypted DNS Proxies +## Encrypted DNS Proxies This software provides third-party encrypted DNS support by pointing the [unencrypted dns](/dns/#unencrypted-dns) resolver to a local [encrypted dns](/dns/#what-is-encrypted-dns) proxy. -{% for item_hash in site.data.software.dns-apps %} -{% assign item = item_hash[1] %} +### RethinkDNS +!!! recommendation -{% if item.type == "Recommendation" %} -{% include recommendation-card.html %} -{% endif %} + ![RethinkDNS logo](/assets/img/android/rethinkdns.svg#only-light){ align=right } + ![RethinkDNS logo](/assets/img/android/rethinkdns-dark.svg#only-dark){ align=right } -{% endfor %} + **RethinkDNS** is an open-source Android client supporting [DNS-over-HTTPS](/dns/#dns-over-https-doh), [DNS-over-TLS](/dns/#dns-over-tls-dot), [DNSCrypt](/dns/#dnscrypt) and DNS Proxy along with caching DNS responses, locally logging DNS queries and can be used as a firewall too. + + [Visit rethinkdns.com](https://rethinkdns.com){ .md-button .md-button--primary } [Privacy Policy](https://rethinkdns.com/privacy){ .md-button } + + **Downloads** + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns) + - [:pg-f-droid: F-Droid](https://f-droid.org/packages/com.celzero.bravedns) + - [:fontawesome-brands-github: Source](https://github.com/celzero/rethink-app) + +### DNSCloak +!!! recommendation + + ![DNSCloak logo](/assets/img/ios/dnscloak.png){ align=right } + + **DNSCloak** is an open-source iOS client supporting [DNS-over-HTTPS](/dns/#dns-over-https-doh), [DNSCrypt](/dns/#dnscrypt), and [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy/wiki) options such as caching DNS responses, locally logging DNS queries, and custom block lists. Users can [add custom resolvers by DNS stamp](https://medium.com/privacyguides/adding-custom-dns-over-https-resolvers-to-dnscloak-20ff5845f4b5). + + [Visit github.com](https://github.com/s-s/dnscloak/blob/master/README.md){ .md-button .md-button--primary } [Privacy Policy](https://drive.google.com/file/d/1050No_pU74CAWUS5-BwQWyO2x_aiMzWc/view){ .md-button } + + **Downloads** + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/app/id1452162351) + - [:fontawesome-brands-github: Source](https://github.com/s-s/dnscloak) + +### dnscrypt-proxy +!!! recommendation + + ![dnscrypt-proxy logo](/assets/img/dns/dnscrypt-proxy.svg){ align=right } + + **dnscrypt-proxy** is a DNS proxy with support for [DNSCrypt](/dns/#dnscrypt), [DNS-over-HTTPS](/dns/#dns-over-https-doh), and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + + !!! warning "The anonymized DNS feature does [**not**](/dns#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic." + + [Visit github.com](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .md-button .md-button--primary } [Privacy Policy](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .md-button } + + **Downloads** + - [:fontawesome-brands-github: Source](https://github.com/DNSCrypt/dnscrypt-proxy) diff --git a/docs/email-clients.md b/docs/email-clients.md new file mode 100644 index 00000000..1054bc7b --- /dev/null +++ b/docs/email-clients.md @@ -0,0 +1,138 @@ +--- +title: Email Clients +icon: material/email-open +--- +Discover free, open-source, and secure email clients, along with some email alternatives you may not have considered. + +!!! Warning + When using end-to-end encryption (E2EE) technology like [OpenPGP](https://en.wikipedia.org/wiki/Pretty_Good_Privacy), email will still have some metadata that is not encrypted in the header of the email. [Read more about email metadata](https://privacyguides.org/providers/email/#metadata). + + OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. [How do I protect my private keys?](/providers/email/#email-encryption) + + Rather than use email for prolonged conversations, consider using a medium that [**does** support](/real-time-communication/) forward secrecy. + +### Thunderbird +!!! recommendation + + ![Thunderbird logo](/assets/img/email-clients/thunderbird.svg){ align=right } + + **Thunderbird** is a free, open source, cross-platform email, newsgroup, news feed, and chat (XMPP, IRC, Twitter) client developed by the Thunderbird community, and previously by the Mozilla Foundation. + + [Visit thunderbird.net](https://www.thunderbird.net){ .md-button .md-button--primary } [Privacy Policy](https://www.mozilla.org/privacy/thunderbird){ .md-button } + + **Downloads** + - [:fontawesome-brands-windows: Windows](https://www.thunderbird.net) + - [:fontawesome-brands-apple: macOS](https://www.thunderbird.net) + - [:fontawesome-brands-linux: Linux](https://www.thunderbird.net) + - [:fontawesome-brands-linux: Linux (Flatpak)](https://flathub.org/apps/details/org.mozilla.Thunderbird) + - [:fontawesome-brands-git: Source](https://hg.mozilla.org/comm-central) + +### GNOME Evolution +!!! recommendation + + ![Evolution logo](/assets/img/email-clients/evolution.svg){ align=right } + + **Evolution** is a personal information management application that provides integrated mail, calendaring and address book functionality. Evolution has extensive [documentation](https://help.gnome.org/users/evolution/stable/) to help you get started. + + [Visit gnome.org](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary } [Privacy Policy](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .md-button } + + **Downloads** + - [:fontawesome-brands-linux: Linux (Flatpak)](https://flathub.org/apps/details/org.gnome.Evolution) + - [:fontawesome-brands-gitlab: Source](https://gitlab.gnome.org/GNOME/evolution) + +### Kontact +!!! recommendation + + ![Kontact logo](/assets/img/email-clients/kontact.svg){ align=right } + + **Kontact** is a personal information manager (PIM) application from the [KDE](https://kde.org) project. It provides a mail client, address book, organizer and RSS client. + + [Visit kontact.kde.org](https://kontact.kde.org){ .md-button .md-button--primary } [Privacy Policy](https://kde.org/privacypolicy-apps){ .md-button } + + **Downloads** + - [:fontawesome-brands-linux: Linux](https://kontact.kde.org/download) + - [:fontawesome-brands-linux: Linux (Flatpak)](https://flathub.org/apps/details/org.kde.kontact) + - [:fontawesome-brands-git: Source](https://invent.kde.org/pim/kmail) + +### Mailvelope +!!! recommendation + + ![Mailvelope logo](/assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** is a browser extension that enables the exchange of encrypted emails following the OpenPGP encryption standard. + + [Visit mailvelope.com](https://www.mailvelope.com){ .md-button .md-button--primary } [Privacy Policy](https://www.mailvelope.com/en/privacy-policy){ .md-button } + + **Downloads** + - [:fontawesome-brands-firefox: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:fontawesome-brands-chrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + - [:fontawesome-brands-github: Source](https://github.com/mailvelope/mailvelope) + + +### K-9 Mail +!!! recommendation + + ![K-9 Mail logo](/assets/img/email-clients/k9mail.svg){ align=right } + + **K-9 Mail** is an independent mail application that supports both POP3 and IMAP mailboxes, but only supports push mail for IMAP. + + [Visit k9mail.app](https://k9mail.app){ .md-button .md-button--primary } [Privacy Policy](https://k9mail.app/privacy){ .md-button } + + **Downloads** + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:pg-f-droid: F-Droid](https://f-droid.org/packages/com.fsck.k9) + - [:fontawesome-brands-github: Source](https://github.com/k9mail) + +### FairEmail +!!! recommendation + + ![FairEmail logo](/assets/img/email-clients/fairemail.svg){ align=right } + + **FairEmail** is a minimal, open source email app, using open standards (IMAP, SMTP, OpenPGP) with a low data and battery usage. + + [Visit email.faircode.eu](https://email.faircode.eu){ .md-button .md-button--primary } [Privacy Policy](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .md-button } + + **Downloads** + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email) + - [:pg-f-droid: F-Droid](https://f-droid.org/packages/com.fsck.k9) + - [:fontawesome-brands-app-store-ios: App Store](https://f-droid.org/en/packages/eu.faircode.email) + - [:fontawesome-brands-github: Source](https://github.com/M66B/FairEmail) + +### Canary Mail +!!! recommendation + + ![Canary Mail logo](/assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** is a paid email client designed to make end-to-end encryption seamless with security features such as a biometric app lock. + + !!! attention + Canary Mail is closed source. We recommend it, due to the few choices there are for email clients on iOS that support [Pretty Good Privacy (PGP)](https://en.wikipedia.org/wiki/Pretty_Good_Privacy), end-to-end encryption (E2EE). + + !!! note + Canary Mail only recently released a Windows and Android client we don't believe they are as stable as their iOS and Mac counterparts. + + [Visit canarymail.io](https://canarymail.io){ .md-button .md-button--primary } [Privacy Policy](https://canarymail.io/privacy.html){ .md-button } + + **Downloads** + - [:fontawesome-brands-apple: macOS](https://apps.apple.com/app/id1236045954) + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/app/id1236045954) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + - [:fontawesome-brands-windows: Windows](https://download.canarymail.io/get_windows) + +### Neomutt +!!! recommendation + + ![Neomutt logo](/assets/img/email-clients/mutt.svg){ align=right } + + NeoMutt is an open-source command line mail reader (or MUA) for Linux and BSD. It's a fork of [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client)) with added features. + + !!! info + Neomut is a text-based client that has a steep learning curve. It is however, very customizable. + + [Visit neomutt.org](https://neomutt.org){ .md-button .md-button--primary } + + **Downloads** + - [:fontawesome-brands-linux: Linux](https://neomutt.org/distro) + - [:fontawesome-brands-apple: macOS](https://neomutt.org/distro) + - [:fontawesome-brands-github: Source](https://github.com/neomutt/neomutt) diff --git a/docs/email.md b/docs/email.md new file mode 100644 index 00000000..1653fed0 --- /dev/null +++ b/docs/email.md @@ -0,0 +1,507 @@ +--- +title: Private Email Providers +icon: material/email +--- + +Find a secure email provider that will keep your privacy in mind. Don’t settle for ad-supported platforms. Never trust any company with your privacy, always encrypt. + +!!! warning + + When using end-to-end encryption (E2EE) technology like OpenPGP, email will still have some metadata that is not encrypted in the header of the email. Read more about email metadata. + + OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. How do I protect my private keys? + +??? example "Email Alternatives" + + Rather than use email for prolonged conversations, consider using a medium that does support Forward secrecy. + + [Recommended Instant Messengers](real-time-communication.md){ .md-button } + +## Recommended Email Services + +### ProtonMail + +!!! recommendation + + ![ProtonMail logo](/assets/img/email/protonmail.svg){ align=right } + + **ProtonMail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since **2013**. ProtonMail is based in Genève, Switzerland. Accounts start with 500 MB storage with their free plan. + + Free accounts have some limitations, such as not being able to search body text and not having access to [ProtonMail Bridge](https://protonmail.com/bridge), which is required to use a [recommended desktop email client](https://privacyguides.org/software/email) (e.g. Thunderbird). Paid accounts are available starting at **€48/y** which include features like ProtonMail Bridge, additional storage, and custom domain support. + + **Free** + + [Visit ProtonMail.com](https://protonmail.com){ .md-button .md-button--primary } + +??? check "Custom Domains and Aliases" + + Paid ProtonMail users can use their own domain with the service. [Catch-all](https://protonmail.com/support/knowledge-base/catch-all/) addresses are supported with custom domains for Professional and Visionary plans. ProtonMail also supports [subaddressing](https://protonmail.com/support/knowledge-base/creating-aliases/), which is useful for users who don't want to purchase a domain. + +??? check "Private Payment Methods" + + ProtonMail accepts Bitcoin in addition to accepting credit/debit cards and PayPal. + +??? check "Account Security" + + ProtonMail supports [TOTP](https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm) [two factor authentication](https://protonmail.com/support/knowledge-base/two-factor-authentication/) only. The use of a [U2F](https://en.wikipedia.org/wiki/Universal_2nd_Factor) security key is not yet supported. ProtonMail is planning to implement U2F upon completion of their [Single Sign On (SSO)](https://reddit.com/comments/cheoy6/comment/feh2lw0/) code. + +??? check "Data Security" + + ProtonMail has [zero access encryption](https://protonmail.com/blog/zero-access-encryption) at rest for your emails, [address book contacts](https://protonmail.com/blog/encrypted-contacts-manager), and [calendars](https://protonmail.com/blog/protoncalendar-security-model). This means the messages and other data stored in your account are only readable by you. + +??? check "Email Encryption" + + ProtonMail has [integrated OpenPGP encryption](https://protonmail.com/support/knowledge-base/how-to-use-pgp) in their webmail. Emails to other ProtonMail users are encrypted automatically, and encryption to non-ProtonMail users with an OpenPGP key can be enabled easily in your account settings. They also allow you to [encrypt messages to non-ProtonMail users](https://protonmail.com/support/knowledge-base/encrypt-for-outside-users) without the need for them to sign up for a ProtonMail account or use software like OpenPGP. + + ProtonMail also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows users outside of ProtonMail to find the OpenPGP keys of ProtonMail users easily, for cross-provider E2EE. + +??? check ".onion Service" + + ProtonMail's login and services are accessible over Tor, [protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion/) + +??? info "Additional Functionality" + + ProtonMail offers a "Visionary" account for €24/Month, which also enables access to ProtonVPN in addition to providing multiple accounts, domains, aliases, and extra storage. + +### Mailbox.org + +!!! recommendation + + ![Mailbox.org logo](/assets/img/email/mailboxorg.svg){ align=right } + + **Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with 2 GB of storage, which can be upgraded as needed. + + **EUR €12/year** + + [Visit Mailbox.org](https://mailbox.org){ .md-button .md-button--primary } + +??? check "Custom Domains and Aliases" + + Mailbox.org lets users use their own domain and they support [catch-all](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain) addresses. Mailbox.org also supports [subaddressing](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), which is useful for users who don't want to purchase a domain. + +??? info "Private Payment Methods" + + Mailbox.org doesn't accept Bitcoin or any other cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept Cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and couple of German-specific processors: paydirekt and Sofortüberweisung. + +??? check "Account Security" + + Mailbox.org supports [two factor authentication](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) for their webmail only. You can use either [TOTP](https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm) or a [Yubikey](https://en.wikipedia.org/wiki/YubiKey) via the [Yubicloud](https://www.yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported. + +??? info "Data Security" + + Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox). New messages that you receive will then be immediately encrypted with your public key. + + However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) the encryption of your address book and calendar. A [standalone option](https://privacyguides.org/software/calendar-contacts/) may be more appropriate for that information. + +??? check "Email Encryption" + + Mailbox.org has [integrated encryption](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) in their webmail, which simplifies sending messages to users with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP) on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox. + + Mailbox.org also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows users outside of Mailbox.org to find the OpenPGP keys of Mailbox.org users easily, for cross-provider E2EE. + +??? info ".onion Service" + + You can access your Mailbox.org account via IMAP/SMTP using their [.onion service](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org). However, their webmail interface cannot be accessed via their .onion service, and users may experience TLS certificate errors. + +??? info "Additional Functionality" + + All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. + +### Disroot + +!!! recommendation + + ![Disroot logo](/assets/img/email/disroot.svg#only-light){ align=right } + ![Disroot logo](/assets/img/email/disroot-dark.svg#only-dark){ align=right } + + **Disroot** offers email amongst [other services](https://disroot.org/en/#services). The service is maintained by volunteers and its community. They have been in operation since 2015. Disroot is based in Amsterdam. Disroot is free and uses open source software such as Rainloop to provide service. Users support the service through donations and buying extra storage. The mailbox limit is 1 GB, but extra storage can be purchased 0.15€ per GB per month paid yearly. + + **Free** + + [Visit Disroot.org](https://disroot.org){ .md-button .md-button--primary } + +??? check "Custom Domains and Aliases" + + Disroot lets users use their own domain. They have aliases, however you must [manually apply](https://disroot.org/en/forms/alias-request-form) for them. + +??? check "Private Payment Methods" + + Disroot accepts Bitcoin and Faircoin as payment methods. They also accept PayPal, direct bank deposit, and Patreon payments. Disroot is a not-for-profit organization that also accepts donations through Liberapay, Flattr, and Monero, but these payment methods cannot be used to purchase services. + +??? check "Account Security" + + Disroot supports [TOTP](https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm) two factor authentication for webmail only. They do not allow [U2F](https://en.wikipedia.org/wiki/Universal_2nd_Factor) security key authentication. + +??? warning "Data Security" + + Disroot uses full disk encryption. However, it doesn't appear to be "zero access", meaning it is technically possible for them to decrypt the data they have if it is not additionally encrypted with a tool like OpenPGP. + + Disroot also uses the standard [CalDAV](https://en.wikipedia.org/wiki/CalDAV) and [CardDAV](https://en.wikipedia.org/wiki/CardDAV) protocols for calendars and contacts, which do not support E2EE. A [standalone option](https://privacyguides.org/software/calendar-contacts/) may be more appropriate. + +??? check "Email Encryption" + + Disroot allows for encrypted emails to be sent from their webmail application using OpenPGP. However, Disroot has not integrated a Web Key Directory (WKD) for users on their platform. + +??? missing ".onion Service" + + Disroot does not operate a .onion service. + +??? info "Additional Functionality" + + They offer [other services](https://disroot.org/en/#services) such as NextCloud, XMPP Chat, Etherpad, Ethercalc, Pastebin, Online polls and a Gitea instance. They also have an app [available in F-Droid](https://f-droid.org/packages/org.disroot.disrootapp/). + +### Tutanota + +!!! recommendation + + ![Tutanota logo](/assets/img/email/tutanota.svg#only-light){ align=right } + ![Tutanota logo](/assets/img/email/tutanota-dark.svg#only-dark){ align=right } + + **[Tutanota.com](https://tutanota.com)** is an email service with a focus on security and privacy through the use of encryption. Tutanota has been in operation since **2011** and is based in Hanover, Germany. Accounts start with 1GB storage with their free plan. + + **Free** + + [Visit Tutanota.org](https://tutanota.org){ .md-button .md-button--primary } + +Tutanota [doesn't allow](https://tutanota.com/faq/#imap) the use of third-party [email clients](https://privacyguides.org/software/email/). Tutanota has no plans pull email from [external email accounts](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) using the [IMAP](https://en.wikipedia.org/wiki/Internet_Message_Access_Protocol) protocol. [Email import](https://github.com/tutao/tutanota/issues/630) is currently not possible. + +Emails can be exported [individually or by bulk selection](https://tutanota.com/howto#generalMail). Tutanota does not allow for [subfolders](https://github.com/tutao/tutanota/issues/927) as you might expect with other email providers. + +Tutanota is working on a [desktop client](https://tutanota.com/blog/posts/desktop-clients/) and they have an app [available in F-Droid](https://f-droid.org/packages/de.tutao.tutanota). They also have their app in conventional stores such as [App Store](https://apps.apple.com/us/app/tutanota/id922429609) on iOS and [Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) for Android. + +??? check "Custom Domains and Aliases" + + Paid Tutanota accounts can use up to 5 [aliases](https://tutanota.com/faq#alias) and [custom domains](https://tutanota.com/faq#custom-domain). Tutanota doesn't allow for [subaddressing (plus addresses)](https://tutanota.com/faq#plus), but you can use a [catch-all](https://tutanota.com/howto#settings-global) with a custom domain. + +??? warning "Private Payment Methods" + + Tutanota only directly accepts credit cards and PayPal, however Bitcoin and Monero can be used to purchase gift cards via their [partnership](https://tutanota.com/faq/#cryptocurrency) with Proxystore. + +??? check "Account Security" + + Tutanota supports [two factor authentication](https://tutanota.com/faq#2fa). Users can either use [TOTP](https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm) or [U2F](https://en.wikipedia.org/wiki/Universal_2nd_Factor). U2F support is [not yet available on Android](https://github.com/tutao/tutanota/issues/443). + +??? check "Data Security" + + Tutanota has [zero access encryption at rest](https://tutanota.com/faq#what-encrypted) for your emails, [address book contacts](https://tutanota.com/faq#encrypted-address-book), and [calendars](https://tutanota.com/faq#calendar). This means the messages and other data stored in your account are only readable by you. + +??? warning "Email Encryption" + + Tutanota [does not use OpenPGP](https://www.tutanota.com/faq/#pgp). Tutanota users can only receive encrypted emails when external users send them through a [temporary Tutanota mailbox](https://www.tutanota.com/howto/#encrypted-email-external). + + Tutanota [does have plans](https://github.com/tutao/tutanota/issues/198) to support [AutoCrypt](https://autocrypt.org). This would allow for external users to send encrypted emails to Tutanota users as long as their email client supports the AutoCrypt headers. + +??? missing ".onion Service" + + Tutanota does not operate a .onion service but [may consider](https://github.com/tutao/tutanota/issues/528) it in the future. + +??? info "Additional Functionality" + + Tutanota offers the business version of [Tutanota to non-profit organizations](https://tutanota.com/blog/posts/secure-email-for-non-profit) for free or with a heavy discount. + + Tutanota also has a business feature called [Secure Connect](https://tutanota.com/secure-connect/). This ensures customer contact to the business uses E2EE. The feature costs €240/y. + +### StartMail + +!!! recommendation + + ![StartMail logo](/assets/img/email/startmail.svg#only-light){ align=right } + ![StartMail logo](/assets/img/email/startmail-dark.svg#only-dark){ align=right } + + **StartMail** is an email service with a focus on security and privacy through the use of standard OpenPGP encryption. StartMail has been in operation since 2014 and is based in Boulevard 11, Zeist Netherlands. Accounts start with 10GB. They offer a 30-day trial. + + **USD $59.95/year** + + [Visit StartMail.com](https://startmail.com/){ .md-button .md-button--primary } + +??? check "Custom Domains and Aliases" + + Personal accounts can use [Custom or Quick](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases) aliases. [Custom domains](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain) are also available. + +??? warning "Private Payment Methods" + + StartMail accepts Visa, MasterCard, American Express and Paypal. StartMail also has other [payment options](https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods) such as Bitcoin (currently only for Personal accounts) and SEPA Direct Debit for accounts older than a year. + +??? check "Account Security" + + StartMail supports [TOTP](https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm) two factor authentication [for webmail only](https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA). They do not allow [U2F](https://en.wikipedia.org/wiki/Universal_2nd_Factor) security key authentication. + +??? info "Data Security" + + StartMail has [zero access encryption at rest](https://www.startmail.com/en/whitepaper/#_Toc458527835), using their "user vault" system. When a user logs in, the vault is opened, and the email is then moved to the vault out of the queue where it is decrypted by the corresponding private key. + + StartMail supports importing [contacts](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts) however, they are only accessible in the webmail and not through protocols such as [CalDAV](https://en.wikipedia.org/wiki/CalDAV). Contacts are also not stored using zero knowledge encryption, so a [standalone option](https://privacyguides.org/software/calendar-contacts/) may be more appropriate. + +??? check "Email Encryption" + + StartMail has [integrated encryption](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) in their webmail, which simplifies sending messages to users with public OpenPGP keys. + +??? missing ".onion Service" + + StartMail does not operate a .onion service. + +??? info "Additional Functionality" + + StartMail allows for proxying of images within emails. If a user allows the remote image to be loaded, the sender won't know what the user's IP address is. + +### CTemplar + +!!! recommendation + + ![CTemplar Logo](/assets/img/email/ctemplar.svg#only-light){ align=right } + ![CTemplar Logo](/assets/img/email/ctemplar-dark.svg#only-dark){ align=right } + + **CTemplar** is an email service with a focus on security and privacy through the use of standard OpenPGP encryption. CTemplar has been in operation since **2018** and is run from Iceland. Paid accounts start with 5GB. They offer free accounts by [invitation](https://ctemplar.com/email-creation-restriction/). + + **USD $96/year** + + [Visit CTemplar.com](https://ctemplar.com){ .md-button .md-button--primary } + +??? check "Custom Domains and Aliases" + + Paid accounts can use [Custom Domains](https://ctemplar.com/help/answer/add-a-domain/) and [aliases](https://ctemplar.com/help/answer/how-to-create-aliases/). + +??? check "Private Payment Methods" + + CTemplar [payment options](https://ctemplar.com/help/answer/payment-options/) include Credit cards via Stripe, Bitcoin and Monero. + +??? check "Account Security" + + CTemplar supports [TOTP](https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm) two factor authentication [for webmail only](https://ctemplar.com/help/answer/setting-up-two-factor-authentication-2fa/). They do not allow [U2F](https://en.wikipedia.org/wiki/Universal_2nd_Factor) security key authentication. + +??? check "Data Security" + + CTemplar has [zero access encryption at rest](https://ctemplar.com/help/answer/what-encryption-method-is-used/), using PGP. They support [protected headers](https://datatracker.ietf.org/doc/html/draft-autocrypt-lamps-protected-headers-02/) and therefore there is [subject encryption](https://ctemplar.com/help/answer/subject-encryption/). + + CTemplar supports importing [contacts](https://ctemplar.com/help/answer/importing-contacts/) and [contacts are encrypted](https://ctemplar.com/help/answer/contact-encryption/) at rest however, they are only accessible in the webmail and apps. + +??? check "Email Encryption" + + CTemplar has [integrated encryption](https://ctemplar.com/help/answer/how-does-encryption-decryption-work-in-ctemplar/) in their webmail, which simplifies sending messages to users with public OpenPGP keys. + +??? warning ".onion Service" + + CTemplar's .onion service [ctemplarpizuduxk3fkwrieizstx33kg5chlvrh37nz73pv5smsvl6ad.onion](http://ctemplarpizuduxk3fkwrieizstx33kg5chlvrh37nz73pv5smsvl6ad.onion /) is [currently disabled](https://twitter.com/RealCTemplar/status/1458775445202157570) for webmail access, due to a Tor Browser [bug](https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/32865). + +??? info "Additional Functionality" + + CTemplar has a [dead man timer](https://ctemplar.com/help/answer/setting-up-a-dead-mans-timer/) feature that will automatically send a specific message that you've set after a given period of time. + + CTemplar also has a feature that allows users verify [checksums](https://ctemplar.com/ctemplar-checksum-implementation/) of production pages with a public copy on Github. + + Electron clients exist for Windows, Mac and Linux. Official clients also exist for iOS and Android ([including F-Droid](https://f-droid.org/en/packages/com.ctemplar.app.fdroid).) All of these clients are [open source](https://github.com/orgs/CTemplar/repositories). + +## Our Criteria + +**Please note we are not affiliated with any of the providers we recommend.** This allows us to provide completely objective recommendations. We have developed a clear set of requirements for any Email provider wishing to be recommended, including implementing industry best practices, modern technology and more. We suggest you familiarize yourself with this list before choosing an Email provider, and conduct your own research to ensure the Email provider you choose is the right choice for you. + +### Jurisdiction + +Operating outside the five/nine/fourteen-eyes countries is not necessarily a guarantee of privacy, and there are other factors to consider. + +**Minimum to Qualify:** + +- Operating outside the USA or other Five Eyes countries. + +**Best Case:** + +- Operating outside the USA or other Fourteen Eyes countries. +- Operating inside a country with strong consumer protection laws. + +### Technology + +We regard these features as important in order to provide a safe and optimal service to users. Users should consider the provider which has the features they require. + +**Minimum to Qualify:** + +- Encrypts account data at rest. +- Integrated webmail encryption provides convenience to users who want improve on having no [E2EE](https://en.wikipedia.org/wiki/End-to-end_encryption) encryption. + +**Best Case:** + +- Encrypts account data at rest with zero-access encryption. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad, be acquired by another company which doesn't prioritize privacy etc. +- Support for [WKD](https://wiki.gnupg.org/WKD) to allow improved discovery of public OpenPGP keys via HTTP. + GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). +- [Subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing) support. +- [Catch all](https://en.wikipedia.org/wiki/Email_filtering) or [aliases](https://en.wikipedia.org/wiki/Email_alias) for users who own their own domains. +- Use of standard email access protocols such as [IMAP](https://en.wikipedia.org/wiki/Internet_Message_Access_Protocol), [SMTP](https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol) or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. + +### Privacy + +We prefer our recommended providers to collect as little data as possible. + +**Minimum to Qualify:** + +- Protect sender's IP address. Filter it from showing in the `Received` header field. +- Don't require personally identifiable information (PII) besides username and password. +- Privacy policy that meets the requirements defined by the GDPR + +**Best Case:** + +- Accepts Bitcoin, cash, and other forms of cryptocurrency and/or anonymous payment options (gift cards, etc.) + +### Security + +Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their users. + +**Minimum to Qualify:** + +- Protection of webmail with [two-factor authentication (2FA)](https://en.wikipedia.org/wiki/Multi-factor_authentication), such as [TOTP](https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm). +- Encryption at rest, (e.g. [dm-crypt](https://en.wikipedia.org/wiki/dm-crypt)) this protects the contents of the servers in case of unlawful seizure. +- [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. +- No [TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) errors/vulnerabilities when being profiled by tools such as [Hardenize](https://www.hardenize.com), [testssl.sh](https://testssl.sh) or [Qualys SSL Labs](https://www.ssllabs.com/ssltest), this includes certificate related errors, poor or weak ciphers suites, weak DH parameters such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). +- A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. +- Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. +- Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. +- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or utilize [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- A server suite preference of TLS 1.2 or later and a plan for [Deprecating TLSv1.0 and TLSv1.1](https://datatracker.ietf.org/doc/draft-ietf-tls-oldversions-deprecate/). +- [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. +- Website security standards such as: + +- [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) +- [Subresource Integrity](https://en.wikipedia.org/wiki/Subresource_Integrity) if loading things from external domains. + +**Best Case:** + +- Support for hardware authentication, ie [U2F](https://en.wikipedia.org/wiki/Universal_2nd_Factor) and [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F and WebAuthn are more secure as they use a private key stored on a client-side hardware device to authenticate users, as opposed to a shared secret that is stored on the web server and on the client side when using TOTP. Furthermore, U2F and WebAuthn are more resistant to phishing as their authentication response is based on the authenticated [domain name](https://en.wikipedia.org/wiki/Domain_name). +- Zero access encryption, builds on encryption at rest. The difference being the provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. +- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), this is useful for users who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. +- Website security standards such as: + +- [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) +- [Expect-CT](https://datatracker.ietf.org/doc/draft-ietf-httpbis-expect-ct) + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the email providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self host analytics (no Google Analytics etc). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for those users who want to opt-out. + +Must not have any marketing which is irresponsible: + +- Claims of "unbreakable encryption". Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know users can quite easily deanonymize themselves in a number of ways, e.g.: + +- Reusing personal information e.g. (email accounts, unique pseudonyms etc) that they accessed without anonymity software (Tor, VPN etc) +- [Browser fingerprinting](https://privacyguides.org/browsers/#fingerprint) + +**Best Case:** + +- Clear and easy to read documentation. This includes things like, setting up 2FA, email clients, OpenPGP, etc. + +### Additional Functionality + +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. + +## Email Encryption Overview + +### What is end-to-end encryption (E2EE) encryption in email? + +[End-to-end encryption (E2EE)](https://en.wikipedia.org/wiki/End-to-end_encryption) is a way of encrypting email contents so that nobody but the recipient(s) can read the email message. + +### How can I encrypt my email? + +The standard way to do email E2EE and have it work between different email providers is with [OpenPGP](https://en.wikipedia.org/wiki/Pretty_Good_Privacy#OpenPGP). There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). + +There is another standard that was popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates). It has support in [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) and [Outlook for Web or Exchange Server 2016, 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). + +### What software can I use to get E2EE? + +Email providers which allow you to use standard access protocols like [IMAP](https://en.wikipedia.org/wiki/Internet_Message_Access_Protocol) and [SMTP](https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol) can be used with any of the [email clients we recommend](https://privacyguides.org/software/email/). This can be less secure as you are now relying on email providers to ensure that their encryption implementation works and has not been compromised in anyway. + +### How do I protect my private keys? + +A smartcard (such as a [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) or [Nitrokey](https://www.nitrokey.com)) works by receiving an encrypted email message from a device (phone, tablet, computer etc) running an email/webmail client. The message is then decrypted by the smartcard and the decrypted content is sent back to the device. + +It is advantageous for the decryption to occur on the smartcard so as to avoid possibly exposing your private key to a compromised device. + +## Email Metadata Overview + +### Who can see the email metadata? + +Email metadata is able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients. Sometimes email servers will also use external parties to protect against spam. + +### What is email metadata? + +Email software will often show some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. + +### When is email metadata used? + +Client software may use it to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) not transparent to the user. + +### Where is the email metadata? + +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message. + +### Why can't email metadata be E2EE? + +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally and is also optional, therefore, only the message content is protected. + +### How is my metadata protected? + +When emails travel between email providers an encrypted connection is negotiated using [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS). This protects the metadata from outside observers, but as it is not E2EE, server administrators can snoop on the metadata of an email. + +## Email Cloaking Services + +!!! recommendation + + ![AnonAddy logo](/assets/img/email/anonaddy.svg#only-light){ align=right } + ![AnonAddy logo](/assets/img/email/anonaddy-dark.svg#only-dark){ align=right } + + **[AnonAddy](https://anonaddy.com)** lets users create aliases that forward to their email address. Can be self-hosted. [Source code on GitHub](https://github.com/anonaddy/anonaddy). + +!!! recommendation + + ![Simplelogin logo](/assets/img/email/simplelogin.svg){ align=right } + + **[SimpleLogin](https://simplelogin.io)** allows you to easily create aliases for your email. Can be self-hosted. [Source code on GitHub](https://github.com/simple-login/app). + +## Self-Hosting Email + +Advanced users may consider setting up their own email server. Mailservers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. + +### Combined software solutions + +!!! recommendation + + ![Mail-in-a-Box logo](/assets/img/email/mail-in-a-box.svg){ align=right } + + **[Mail-in-a-Box](https://mailinabox.email)** is an automated setup script for deploying a mail server on Ubuntu. Its goal is to make it easier for users to set up their own mail server. + +!!! recommendation + + ![Mailcow logo](/assets/img/email/mailcow.svg){ align=right } + + **[Mailcow](https://mailcow.email)** is a more advanced mail server perfect for those with a bit more Linux experience. It has everything you need in a Docker container: A mailserver with DKIM support, antivirus and spam monitoring, webmail and ActiveSync with SOGo, and web-based administration with 2FA support. **[Mailcow Dockerized docs](https://mailcow.github.io/mailcow-dockerized-docs/)** + + +For a more manual approach we've picked out these two articles. + +- [Setting up a mail server with OpenSMTPD, Dovecot and Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019) +- [How To Run Your Own Mail Server](https://www.c0ffee.net/blog/mail-server-guide/) (August 2017) + +## Additional Reading + +- [An NFC PGP SmartCard For Android](https://www.grepular.com/An_NFC_PGP_SmartCard_For_Android) +- [Aging 'Privacy' Law Leaves Cloud E-Mail Open to Cops (2011)](https://www.wired.com/2011/10/ecpa-turns-twenty-five/) +- [The Government Can (Still) Read Most Of Your Emails Without A Warrant (2013)](https://thinkprogress.org/the-government-can-still-read-most-of-your-emails-without-a-warrant-322fe6defc7b/) diff --git a/docs/encryption.md b/docs/encryption.md new file mode 100644 index 00000000..cf3243ed --- /dev/null +++ b/docs/encryption.md @@ -0,0 +1,175 @@ +--- +title: Encryption Software +icon: material/file-lock +--- +Encryption of data is the only way to control who can access it. If you are currently not using encryption software for your hard disk, emails, or file archives, you should pick an option here. + +## Multi-platform +The options listed here are multi-platform and great for creating encrypted backups of your data. + +### VeraCrypt +!!! recommendation + + ![VeraCrypt logo](/assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![VeraCrypt logo](/assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** is a source-available freeware utility used for on-the-fly encryption. It can create a virtual encrypted disk within a file, encrypt a partition, or encrypt the entire storage device with pre-boot authentication. VeraCrypt is a fork of the discontinued TrueCrypt project. According to its developers, security improvements have been implemented and issues raised by the initial TrueCrypt code audit have been addressed. + + [Visit veracrypt.fr](https://veracrypt.fr){ .md-button .md-button--primary } + + **Downloads** + - [:fontawesome-brands-windows: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:fontawesome-brands-apple: macOS](https://www.veracrypt.fr/en/Downloads.html) + - [:fontawesome-brands-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + - [:fontawesome-brands-git: Source](https://www.veracrypt.fr/code) + +### GNU Privacy Guard +!!! recommendation + + ![GNU Privacy Guard logo](/assets/img/encryption-software/gnupg.svg){ align=right } + + **GnuPG** is a GPL-licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with RFC 4880, which is the current IETF standards track specification of OpenPGP. Current versions of PGP (and Veridis' Filecrypt) are interoperable with GnuPG and other OpenPGP-compliant systems. GnuPG is a part of the Free Software Foundation's GNU software project, and has received major funding from the German government. + + [Visit gnupg.org](https://gnupg.org){ .md-button .md-button--primary } [Privacy Policy](https://gnupg.org/privacy-policy.html){ .md-button } + + **Downloads** + - [:fontawesome-brands-windows: Windows](https://gpg4win.org/download.html) + - [:fontawesome-brands-apple: macOS](https://gpgtools.org) + - [:fontawesome-brands-linux: Linux](https://gnupg.org/download/index.html#binary) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:fontawesome-brands-git: Source](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git) + +### Cryptomator +!!! recommendation + + ![Cryptomator logo](/assets/img/encryption-software/cryptomator.svg){ align=right } + + **Cryptomator** makes it easy for you to upload files to the cloud in a virtual encrypted filesystem. + + Some of the libraries have been [audited](https://cryptomator.org/open-source/) by [cure53](https://cryptomator.org/audits/2017-11-27%20crypto%20cure53.pdf). + + [Visit cryptomator.org](https://cryptomator.org){ .md-button .md-button--primary } [Privacy Policy](https://cryptomator.org/privacy){ .md-button } + + **Downloads** + - [:fontawesome-brands-windows: Windows](https://cryptomator.org/downloads) + - [:fontawesome-brands-apple: macOS](https://cryptomator.org/downloads) + - [:fontawesome-brands-linux: Linux](https://cryptomator.org/downloads) + - [:fontawesome-brands-linux: Linux (Flatpak)](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:fontawesome-brands-android: F-Droid repo](https://cryptomator.org/android) + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:fontawesome-brands-github: Source](https://github.com/cryptomator) + +### Picocrypt +!!! recommendation + + ![Picocrypt logo](/assets/img/encryption-software/picocrypt.svg){ align=right } + + **Picocrypt** is a small and simple encryption tool that provides modern encryption. Picocrypt uses the secure XChaCha20 cipher and the Argon2id key derivation function to provide a high level of security. It uses Go's standard x/crypto modules for its encryption features. + + We think the best usecase for this is if you need to encrypt some files, or archives. + + [Visit github.com](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + + **Downloads** + - [:fontawesome-brands-windows: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:fontawesome-brands-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:fontawesome-brands-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + - [:fontawesome-brands-github: Source](https://github.com/HACKERALERT/Picocrypt) + +## Operating system included Full Disk Encryption (FDE) +Modern operating systems include [disk encryption](https://en.wikipedia.org/wiki/Disk_encryption) and will utilize a [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor). + +### Bitlocker +!!! recommendation + + ![Bitlocker logo](/assets/img/encryption-software/bitlocker.png){ align=right } + + **Bitlocker** is the default full volume encryption that comes with Microsoft Windows. The main reason we recommend it is because of its [use of TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [Elcomsoft](https://en.wikipedia.org/wiki/ElcomSoft), a forensics company, has written about it: [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-bitlocker-tpm-protection/). + + + [Visit microsoft.com](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview){ .md-button .md-button--primary } + +### Filevault +!!! recommendation + + ![Filevault logo](/assets/img/encryption-software/filevault.png){ align=right } + + **Filevault** is the on-the-fly disk encryption that comes with MacOS. We recommend it because tightly intergrates with the [Apple T2 Security Chip](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/1/web/1). + + [Visit support.apple.com](https://support.apple.com/en-us/HT204837){ .md-button .md-button--primary } + +### Linux Unified Key Setup (LUKS) +!!! recommendation + + ![LUKS logo](/assets/img/encryption-software/luks.png){ align=right } + + **LUKS** is the default full disk encryption method for Linux. It can be used to encrypt full volumes, partitions, or create encrypted containers. + + ## Creating encrypted containers + ``` + dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress + sudo cryptsetup luksFormat /path-to-file + ``` + + ## Opening encrypted containers + We recommend opening containers and volumes with `udisksctl` as this uses [Polkit](https://en.wikipedia.org/wiki/Polkit). Most file managers, such as those included with popular desktop environments, can now unlock encrypted files. Tools like [udiskie](https://github.com/coldfix/udiskie) can run in the system tray and provide a helpful user interface. + ``` + udisksctl loop-setup -f /path-to-file + udisksctl unlock -b /dev/loop0 + ``` + + ## Backup of volume headers + We recommend you always [backup your LUKS headers](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) in case of partial drive failure. This can be done with: + + ``` + cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img + ``` + + [Visit gitlab.com](https://gitlab.com/cryptsetup/cryptsetup){ .md-button .md-button--primary } + +## Browser-based +Web based encryption can be useful when you need to encrypt a file, and you cannot install software or apps on your device. + +### hat.sh +!!! recommendation + + ![hat.sh logo](/assets/img/encryption-software/hat-sh.png#only-light){ align=right } + ![hat.sh logo](/assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right } + + **Hat.sh** is a web application that provides secure client-side file encryption in your browser. It can also be selfhosted and is useful if you need to encrypt a file but cannot install any software on your device due to organizational policies. + + [Visit hat.sh](https://hat.sh){ .md-button .md-button--primary } + + **Downloads** + - [:fontawesome-brands-github: Source](https://github.com/sh-dv/hat.sh) + +## Command-line +Tools with commandline interfaces are useful for intergrating [shell scripts](https://en.wikipedia.org/wiki/Shell_script). + +### Kryptor +!!! recommendation + + ![Kryptor logo](/assets/img/encryption-software/kryptor.png){ align=right } + + **Kryptor** is a free and open source file encryption and signing tool that makes use of modern and secure cryptographic algorithms. It aims to be a better version of [age](https://github.com/FiloSottile/age) and [Minisign](https://jedisct1.github.io/minisign/) to provide a simple, user friendly alternative to GPG. + + [Visit kryptor.co.uk](https://www.kryptor.co.uk){ .md-button .md-button--primary } + + **Downloads** + - [:fontawesome-brands-windows: Windows](https://www.kryptor.co.uk) + - [:fontawesome-brands-apple: macOS](https://www.kryptor.co.uk) + - [:fontawesome-brands-linux: Linux](https://www.kryptor.co.uk) + - [:fontawesome-brands-github: Source](https://github.com/samuel-lucas6/Kryptor) + +### Tomb +!!! recommendation + + ![Tomb logo](/assets/img/encryption-software/tomb.png){ align=right } + + **Tomb** is an is a commandline shell wrapper around LUKS. It includes uses some [third party tools](https://github.com/dyne/Tomb#how-does-it-work) to provide [steganography](https://en.wikipedia.org/wiki/Steganography). + + [Visit dyne.org](https://www.dyne.org/software/tomb){ .md-button .md-button--primary } + + **Downloads** + - [:fontawesome-brands-github: Source](https://github.com/dyne/Tomb) diff --git a/docs/file-sharing.md b/docs/file-sharing.md new file mode 100644 index 00000000..3307d7d4 --- /dev/null +++ b/docs/file-sharing.md @@ -0,0 +1,97 @@ +--- +title: File Sharing and Sync +icon: material/share-variant +--- +Discover how to privately share your files between your devices, with your friends and family, or anonymously online. + +## File Sharing + +### OnionShare +!!! recommendation + + ![OnionShare logo](/assets/img/file-sharing-sync/onionshare.svg){ align=right } + + **OnionShare** is an open-source tool that lets you securely and anonymously share a file of any size. It works by starting a web server accessible as a Tor onion service, with an unguessable URL that you can share with the recipients to download or send files. + + [Visit onionshare.org](https://onionshare.org){ .md-button .md-button--primary } [:pg-tor:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .md-button } + + **Downloads** + - [:fontawesome-brands-windows: Windows](https://onionshare.org/#download) + - [:fontawesome-brands-apple: macOS](https://onionshare.org/#download) + - [:fontawesome-brands-linux: Linux](https://onionshare.org/#download) + - [:fontawesome-brands-github: Source](https://github.com/onionshare/onionshare) + +### Magic Wormhole +!!! recommendation + + ![Magic Wormhole logo](/assets/img/file-sharing-sync/magic_wormhole.png){ align=right } + + Magic Wormhole is a package that provides a library and a command-line tool named wormhole, which makes it possible to get arbitrary-sized files and directories (or short pieces of text) from one computer to another. Their motto: "Get things from one computer to another, safely. + + [Visit magic-wormhole.readthedocs.io](https://magic-wormhole.readthedocs.io){ .md-button .md-button--primary } + + **Downloads** + - [:fontawesome-brands-windows: Windows](https://magic-wormhole.readthedocs.io/en/latest/welcome.html#installation) + - [:fontawesome-brands-apple: macOS](https://magic-wormhole.readthedocs.io/en/latest/welcome.html#macos-os-x) + - [:fontawesome-brands-linux: Linux](https://magic-wormhole.readthedocs.io/en/latest/welcome.html#installation) + - [:fontawesome-brands-github: Source](https://github.com/magic-wormhole/magic-wormhole) + + +### croc +!!! recommendation + + ![croc logo](/assets/img/file-sharing-sync/croc.jpg){ align=right } + + **Croc** is a way to easily and securely send arbitrary-sized files from one computer to another. Similar to Magic Wormhole but without dependencies, resulting in a smaller application. + + [Visit schollz.com](https://schollz.com/blog/croc6){ .md-button .md-button--primary } + + **Downloads** + - [:fontawesome-brands-windows: Windows](https://github.com/schollz/croc/releases) + - [:fontawesome-brands-apple: macOS](https://github.com/schollz/croc/releases) + - [:fontawesome-brands-linux: Linux](https://github.com/schollz/croc/releases) + - [:fontawesome-brands-github: Source](https://github.com/schollz/croc) + +## FreedomBox +!!! recommendation + + ![FreedomBox logo](/assets/img/file-sharing-sync/freedombox.svg){ align=right } + + **FreedomBox** is a operating system designed to be run on a [single-board computer (SBC)](https://en.wikipedia.org/wiki/Single-board_computer). The purpose is to make it easy to set up server applications that you might want to selfhost. + + [Visit freedombox.org](https://freedombox.org){ .md-button .md-button--primary } + + **Downloads** + - [:fontawesome-brands-git: Source](https://salsa.debian.org/freedombox-team/freedombox) + +## File Sync + +### Syncthing +!!! recommendation + + ![Syncthing logo](/assets/img/file-sharing-sync/syncthing.svg){ align=right } + + **Syncthing** replaces proprietary sync and cloud services with something open, trustworthy, and decentralized. Your data is your data alone and you deserve to choose where it is stored, if it is shared with some third-party, and how it is transmitted over the Internet. + + [Visit syncthing.net](https://syncthing.net){ .md-button .md-button--primary } + + **Downloads** + - [:fontawesome-brands-windows: Windows](https://syncthing.net/downloads) + - [:fontawesome-brands-apple: macOS](https://syncthing.net/downloads) + - [:fontawesome-brands-linux: Linux](https://syncthing.net/downloads) + - [:fontawesome-brands-github: Source](https://github.com/syncthing) + +### git-annex +!!! recommendation + + ![git-annex logo](/assets/img/file-sharing-sync/gitannex.svg){ align=right } + + **git-annex** allows managing files with git, without checking the file contents into git. While that may seem paradoxical, it is useful when dealing with files larger than git can currently easily handle, whether due to limitations in memory, time, or disk space. + + [Visit git-annex.branchable.com](https://git-annex.branchable.com){ .md-button .md-button--primary } [Privacy Policy](https://git-annex.branchable.com/privacy){ .md-button } + + **Downloads** + - [:fontawesome-brands-windows: Windows](https://git-annex.branchable.com/install/Windows) + - [:fontawesome-brands-apple: macOS](https://git-annex.branchable.com/install/OSX) + - [:fontawesome-brands-linux: Linux](https://git-annex.branchable.com/install) + - [:fontawesome-brands-git: Source](https://git-annex.branchable.com/install/fromsource/) diff --git a/docs/index.md b/docs/index.md new file mode 100644 index 00000000..5d56b8be --- /dev/null +++ b/docs/index.md @@ -0,0 +1,45 @@ +--- +template: overrides/home.html +hide: + - navigation + - toc +--- + +
+
+## Why should I care? + +##### “I have nothing to hide. Why should I care about my privacy?” + +Much like the right to interracial marriage, woman's suffrage, freedom of speech, and many others, we didn't always have the right to privacy. In several dictatorships, many still don't. Generations before ours fought for our right to privacy. ==Privacy is a human right inherent to all of us== that we are entitled to without discrimination. + +You shouldn't confuse privacy with secrecy. We know what happens in the bathroom, but you still close the door. That's because you want privacy, not secrecy. **Everyone** has something to hide, privacy is something that makes you human. +
+ +
+## What should I do? + +##### First, you need to make a plan. + +Trying to protect all your data from everyone all the time is impractical, expensive, and exhausting. But don't worry! Security is a process, and by thinking ahead you can put together a plan that's right for you. Security isn't just about the tools you use or the software you download. Rather, it begins with understanding the unique threats you face, and how you can counter them. + +==This process of identifying threats and defining countermeasures is called **threat modeling**==, and it forms the basis of every good security and privacy plan. + +[:material-book-outline: Learn More About Threat Modeling](threat-modeling.md){ .md-button .md-button--primary } +
+
+ +
+## We need you! Here's how to get involved + +It's important for a website like Privacy Guides to always stay up-to-date. We need our audience to keep an eye on software updates for the applications listed on our site and follow recent news about providers that we recommend. We try our best to keep up, but we're not perfect and the internet is changing fast. If you find an error, think a provider should not be listed here, notice a qualified service provider is missing, believe a browser plugin is not the best choice anymore, or uncover anything else... Talk to us please. + +
+ +- [:fontawesome-brands-reddit: Join the r/PrivacyGuides Subreddit](https://www.reddit.com/r/privacyguides) +- [:fontawesome-brands-twitter: Follow @Privacy_Guides on Twitter](https://twitter.com/privacy_guides) +- [:material-book-edit: Contribute to this website](https://github.com/privacyguides/privacyguides.org) +- [:material-chat: Chat with us on Matrix](https://matrix.to/#/#privacyguides:matrix.org) + +
+
diff --git a/collections/_evergreen/linux-desktop.md b/docs/linux-desktop.md similarity index 50% rename from collections/_evergreen/linux-desktop.md rename to docs/linux-desktop.md index e8c8f046..2826cc85 100644 --- a/collections/_evergreen/linux-desktop.md +++ b/docs/linux-desktop.md @@ -1,64 +1,152 @@ --- -layout: evergreen -title: Linux Desktop -mathjax: false -description: | - Linux distributions are commonly recommended for privacy protection and user freedom. Below are some suggestions with some general privacy and security improvements. +icon: fontawesome/brands/linux --- -## Traditional distributions -{% for item_hash in site.data.operating-systems.linux-desktop %} -{% assign item = item_hash[1] %} +Linux distributions are commonly recommended for privacy protection and user freedom. Below are some suggestions with some general privacy and security improvements. -{% if item.type == "Recommendation" %} -{% include recommendation-card.html %} -{% endif %} +## Traditional Distributions -{% endfor %} +### Fedora Workstation -## Immutable distributions -{% for item_hash in site.data.operating-systems.linux-desktop-immutable %} -{% assign item = item_hash[1] %} +!!! recommendation -{% if item.type == "Recommendation" %} -{% include recommendation-card.html %} -{% endif %} + ![Fedora logo](/assets/img/linux-desktop/fedora-workstation.svg){ align=right } -{% endfor %} + **Fedora Workstation** is our recommended distribution for users new to Linux. Fedora generally adopts newer technologies before other distributions e.g., [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org), and soon, [FS-Verity](https://fedoraproject.org/wiki/Changes/FsVerityRPM). These new technologies often come with improvements in security, privacy, and usability in general. -## Anonymity-focused distributions -{% for item_hash in site.data.operating-systems.linux-desktop-tor %} -{% assign item = item_hash[1] %} + [Visit getfedora.org](https://getfedora.org/){ .md-button .md-button--primary } -{% if item.type == "Recommendation" %} -{% include recommendation-card.html %} -{% endif %} +Fedora has a semi-[rolling release](https://en.wikipedia.org/wiki/Rolling_release) cycle. While some packages like [GNOME](https://www.gnome.org) are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months. -{% endfor %} +### openSUSE Tumbleweed -## GNU/Linux -It is often believed that [open source](https://en.wikipedia.org/wiki/Open-source_software) software is inherently secure because the source code is available. There is an expectation that community verification occurs regularly; however, this isn't always [the case](https://seirdy.one/2022/02/02/floss-security.html). It does depend on a number of factors, such as project activity, developer experience, level of rigour applied to [code reviews](https://en.wikipedia.org/wiki/Code_review), and how often attention is given to specific parts of the [codebase](https://en.wikipedia.org/wiki/Codebase) that may go untouched for years. +!!! recommendation + + ![openSUSE Tumbleweed logo](/assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right } + + **openSUSE Tumbleweed** is a stable [rolling release](https://en.wikipedia.org/wiki/Rolling_release) distribution. + + openSUSE Tumbleweed has a [transactional update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) system that uses [Btrfs](https://en.wikipedia.org/wiki/Btrfs) and [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) to ensure that snapshots can be rolled back should there be a problem. + + [Visit get.opensuse.org](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary } + +Tumbleweed follows a rolling release model where each update is released as a snapshot of the distribution. When the user upgrades their system, a new snapshot is downloaded. Each snapshot is run through a series of automated tests by the [openSUSE Build Service](https://build.opensuse.org) to ensure its quality. + +### Arch Linux + +!!! recommendation + + ![Arch logo](/assets/img/linux-desktop/archlinux.svg){ align=right } + + **Arch Linux** is a lightweight, do-it-yourself (DIY) distribution meaning that you only get what you install. For more information see their [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions). + + [Visit archlinux.org](https://archlinux.org/){ .md-button .md-button--primary } + +Arch Linux has a rolling release cycle. There is no fixed release schedule and packages are updated very frequently. + +Being a DIY distribution, the user is [expected to setup and maintain](https://privacyguides.org/linux-desktop/#arch-based-distributions) their system. Arch has an [official installer](https://wiki.archlinux.org/title/Archinstall) to make the installation process a little easier. + +A large portion of [Arch Linux’s packages](https://reproducible.archlinux.org) are [reproducible](https://reproducible-builds.org). + +## Immutable Distributions + +### Fedora Silverblue + +!!! recommendation + + ![Fedora Silverblue logo](/assets/img/linux-desktop/fedora-silverblue.svg){ align=right } + + **Fedora Silverblue** and **Fedora Kinoite** are immutable variants of Fedora with a strong focus on container workflows. Silverblue comes with the [GNOME](https://www.gnome.org/) desktop environment while Kinoite comes with [KDE](https://kde.org/). Silverblue and Kinoite follow the same release schedule as Fedora Workstation, benefiting from the same fast updates and staying very close to upstream. + + [Visit silverblue.fedoraproject.org](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary } + +Silverblue (and Kionite) differ from Fedora Workstation as they replace the [DNF](https://fedoraproject.org/wiki/DNF) package manager with a much more advanced alternative called [`rpm-ostree`](https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/package-management/rpm-ostree/). The `rpm-ostree` package manager works by downloading a base image for the system, then overlaying packages over it in a [git](https://en.wikipedia.org/wiki/Git)-like commit tree. When the system is updated, a new base image is downloaded and the overlays will be applied to that new image. + +After the update is complete the user will reboot the system into the new deployment. `rpm-ostree` keeps two deployments of the system so that a user can easily rollback if something breaks in the new deployment. There is also the option to pin more deployments as needed. + +[Flatpak](https://www.flatpak.org) is the primary package installation method on these distrbutions, as `rpm-ostree` is only meant to overlay packages that cannot stay inside of a container on top of the base image. + +As an alternative to Flatpaks, there is the option of [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) to create [Podman](https://podman.io) containers with a shared home directory with the host operating system and mimic a traditional Fedora environment, which is a [useful feature](https://containertoolbx.org) for the discerning developer. + +### NixOS + +!!! recommendation + + ![NixOS logo](/assets/img/linux-desktop/nixos.svg){ align=right } + + NixOS is an independent distribution based on the Nix package manager with a focus on reproducibility and reliability. + + [Visit nixos.org](https://nixos.org/){ .md-button .md-button--primary } + +NixOS’s package manager keeps every version of every package in a different folder in the **Nix store**. Due to this you can have different versions of the same package installed on your system. After the package contents have been written to the folder, the folder is made read-only. + +NixOS also provides atomic updates; first it downloads (or builds) the packages and files for the new system generation and then switches to it. There are different ways to switch to a new generation; you can tell NixOS to activate it after reboot or you can switch to it at runtime. You can also _test_ the new generation by switching to it at runtime, but not setting it as the current system generation. If something in the update process breaks, you can just reboot and automatically and return to a working version of your system. + +Nix the package manager uses a purely functional language - which is also called Nix - to define packages. + +[Nixpkgs](https://github.com/nixos/nixpkgs) (the main source of packages) are contained in a single Github repository. You can also define your own packages in the same language and then easily include them in your config. + +Nix is a source-based package manager; if there’s no pre-built available in the binary cache, Nix will just build the package from source using its definition. It builds each package in a sandboxed _pure_ environment, which is as independent of the host system as possible, thus making binaries reproducible. + +## Anonymity-Focused Distributions + +### Whonix + +!!! recommendation + + ![Whonix logo](/assets/img/linux-desktop/whonix.svg){ align=right } + + **Whonix** is based on [Kicksecure](https://www.whonix.org/wiki/Kicksecure), a security-focused fork of Debian. It aims to provide privacy, security, and anonymity on the internet. + + [Visit whonix.org](https://www.whonix.org/){ .md-button .md-button--primary } + +Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway”. All communications from the Workstation has to go through the Tor gateway, and will be routed through the Tor Network. + +Some of its features include Tor Stream Isolation, [keystroke anonymization](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [encrypted swap](https://github.com/Whonix/swap-file-creator), and a hardened memory allocator. + +Future versions of Whonix will likely include [full system Apparmor policies](https://github.com/Whonix/apparmor-profile-everything) and a [sandbox app launcher](https://www.whonix.org/wiki/Sandbox-app-launcher) to fully confine all processes on the system. + +Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers). + +### Tails + +!!! recommendation + + ![Tails logo](/assets/img/linux-desktop/tails.svg){ align=right } + + **Tails** is a live operating system based on Debian that routes all communications through Tor. + + It can boot on almost any computer from a DVD, USB stick, or sdcard. It aims to preserve privacy and anonymity while circumventing censorship and leaving no trace of itself on the computer it is used on. + + [Visit tails.boum.org](https://tails.boum.org/){ .md-button .md-button--primary } + +By design, Tails is meant to completely reset itself after each reboot. Encrypted [persistent storage](https://tails.boum.org/doc/first_steps/persistence/index.en.html) can be configured to store some data. + +## GNU/Linux Overview + +It is often believed that [open source](https://en.wikipedia.org/wiki/Open-source_software) software is inherently secure because the source code is available. There is an expectation that community verification occurs regularly; however, this isn’t always [the case](https://seirdy.one/2022/02/02/floss-security.html). It does depend on a number of factors, such as project activity, developer experience, level of rigour applied to [code reviews](https://en.wikipedia.org/wiki/Code_review), and how often attention is given to specific parts of the [codebase](https://en.wikipedia.org/wiki/Codebase) that may go untouched for years. At the moment, desktop GNU/Linux does have some areas that could be better improved when compared to their proprietary counterparts, e.g: - * A verified boot chain, unlike Apple's [Secure Boot](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) (with [Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), Android's [Verified Boot](https://source.android.com/security/verifiedboot) or Microsoft Windows's [boot process](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) with [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). These features and hardware technologies can all help prevent persistent tampering by malware or [evil maid attacks](https://en.wikipedia.org/wiki/Evil_Maid_attack) - * Strong sandboxing solution such as that found in [MacOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md), and [Android](https://source.android.com/security/app-sandbox). Commonly used Linux sandboxing solutions such as [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) and [Firejail](https://firejail.wordpress.com/) still have a long way to go - * Strong [exploit mitigations](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) +- A verified boot chain, unlike Apple’s [Secure Boot](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) (with [Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), Android’s [Verified Boot](https://source.android.com/security/verifiedboot) or Microsoft Windows’s [boot process](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) with [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). These features and hardware technologies can all help prevent persistent tampering by malware or [evil maid attacks](https://en.wikipedia.org/wiki/Evil_Maid_attack) +- Strong sandboxing solution such as that found in [MacOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md), and [Android](https://source.android.com/security/app-sandbox). Commonly used Linux sandboxing solutions such as [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) and [Firejail](https://firejail.wordpress.com/) still have a long way to go +- Strong [exploit mitigations](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) Despite these drawbacks, desktop GNU/Linux distributions are great if you want to: - * Avoid telemetry that often comes with proprietary operating systems - * Maintain [software freedom](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms) - * Have purpose built systems such as [Whonix](https://www.whonix.org) or [Tails](https://tails.boum.org/) +- Avoid telemetry that often comes with proprietary operating systems +- Maintain [software freedom](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms) +- Have purpose built systems such as [Whonix](https://www.whonix.org) or [Tails](https://tails.boum.org/) -This page uses the term "Linux" to describe desktop GNU/Linux distributions. Other operating systems which also use the Linux kernel such as ChromeOS, Android, and Qubes OS are not discussed here. +This page uses the term “Linux” to describe desktop GNU/Linux distributions. Other operating systems which also use the Linux kernel such as ChromeOS, Android, and Qubes OS are not discussed here. ### Release cycle -We highly recommend that you choose distributions which stay close to the stable upstream software releases. This is because frozen release cycle distributions often don't update package versions and fall behind on security updates. -For frozen distributions, package maintainers are expected to backport patches to fix vulnerabilities (Debian is one such [example](https://www.debian.org/security/faq#handling)) rather than bump the software to the "next version" released by the upstream developer. Some security fixes [do not](https://arxiv.org/abs/2105.14565) receive a [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release. +We highly recommend that you choose distributions which stay close to the stable upstream software releases. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates. -We don't believe holding packages back and applying interim patches is a good idea, as it diverges from the way the developer might have intended the software to work. [Richard Brown](https://rootco.de/aboutme/) has a presentation about this: +For frozen distributions, package maintainers are expected to backport patches to fix vulnerabilities (Debian is one such [example](https://www.debian.org/security/faq#handling)) rather than bump the software to the “next version” released by the upstream developer. Some security fixes [do not](https://arxiv.org/abs/2105.14565) receive a [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release. + +We don’t believe holding packages back and applying interim patches is a good idea, as it diverges from the way the developer might have intended the software to work. [Richard Brown](https://rootco.de/aboutme/) has a presentation about this: -### "Security-focused" distributions -There is often some confusion about "security-focused" distributions and "pentesting" distributions. A quick search for "the most secure Linux distribution" will often give results like Kali Linux, Black Arch, and Parrot OS. These distributions are offensive penetration testing distributions that bundle tools for testing other systems. They don't include any "extra security" or defensive mitigations intended for regular use. +### “Security-focused” distributions + +There is often some confusion about “security-focused” distributions and “pentesting” distributions. A quick search for “the most secure Linux distribution” will often give results like Kali Linux, Black Arch, and Parrot OS. These distributions are offensive penetration testing distributions that bundle tools for testing other systems. They don’t include any “extra security” or defensive mitigations intended for regular use. ### Arch-based distributions + Arch based distributions are not recommended for new users, regardless of the distribution. Arch does not have an distribution update mechanism for the underlying software choices. As a result the user of the system must stay aware with current trends and adopt technologies as they supersede older practices. For a secure system, the user is also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a [mandatory access control](https://en.wikipedia.org/wiki/Mandatory_access_control) system, setting up [kernel module](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) blacklists, hardening boot parameters, manipulating [sysctl](https://en.wikipedia.org/wiki/Sysctl) parameters, and knowing what components they need such as [Polkit](https://en.wikipedia.org/wiki/Polkit). @@ -97,55 +188,65 @@ Any user using the [Arch User Repository (AUR)](https://wiki.archlinux.org/title For advanced users, we only recommend Arch Linux, not any of its derivatives. We recommend against these two Arch derivatives specifically: - * **Manjaro**: This distribution holds packages back for 2 weeks to make sure that their own changes don't break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest [libraries](https://en.wikipedia.org/wiki/Library_(computing)) from Arch's repositories. - * **Garuda**: They use [Chaotic-AUR](https://aur.chaotic.cx/) which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages don't suffer from supply chain attacks. +- **Manjaro**: This distribution holds packages back for 2 weeks to make sure that their own changes don’t break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest [libraries](https://en.wikipedia.org/wiki/Library_(computing)) from Arch’s repositories. +- **Garuda**: They use [Chaotic-AUR](https://aur.chaotic.cx/) which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages don’t suffer from supply chain attacks. + +### Linux-libre kernel and “Libre” distributions -### Linux-libre kernel and "Libre" distributions We strongly recommend **against** using the Linux-libre kernel, since it [removes security mitigations](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) and [suppresses kernel warnings](https://news.ycombinator.com/item?id=29674846) about vulnerable microcode for ideological reasons. ## General Recommendations + ### Drive Encryption + Most Linux distributions have an installer option for enabling [Linux Unified Key Setup (LUKS)](https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup) encryption upon installation. -If this option isn't set at installation time, the user will have to backup their data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning) but before [file systems](https://en.wikipedia.org/wiki/File_system) are [formatted](https://en.wikipedia.org/wiki/Disk_formatting). +If this option isn’t set at installation time, the user will have to backup their data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning) but before [file systems](https://en.wikipedia.org/wiki/File_system) are [formatted](https://en.wikipedia.org/wiki/Disk_formatting). When securely erasing storage devices such as a [Solid-state drive (SSD)](https://en.wikipedia.org/wiki/Solid-state_drive) you should use the [ATA Secure Erase](https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase) command. This command can be issued from your UEFI setup. If the storage device is a regular [hard drive](https://en.wikipedia.org/wiki/Hard_disk_drive), consider using [`nwipe`](https://en.wikipedia.org/wiki/Nwipe). ### Swap + Consider using [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) or [encrypted swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to [swap space](https://en.wikipedia.org/wiki/Memory_paging). Fedora based distributions [use ZRAM](https://fedoraproject.org/wiki/Changes/SwapOnZRAM) by default. ### Wayland + We recommend using a desktop environment that supports the [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) display protocol as it developed with security [in mind](https://lwn.net/Articles/589147/). Its predecessor, [X11](https://en.wikipedia.org/wiki/X_Window_System), does not support GUI isolation, allowing all windows to [record screen, log and inject inputs in other windows](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), making any attempt at sandboxing futile. While there are options to do nested X11 such as [Xpra](https://en.wikipedia.org/wiki/Xpra) or [Xephyr](https://en.wikipedia.org/wiki/Xephyr), they often come with negative performance consequences and are not convenient to set up and are not preferable over Wayland. -Fortunately, common environments such as [GNOME](https://www.gnome.org), [KDE](https://kde.org), and the window manager [Sway](https://swaywm.org) have support for Wayland. Some distributions like Fedora and Tumbleweed use it by default and some others may do so in the future as X11 is in [hard maintenance mode](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). If you're using one of those environments it is as easy as selecting the "Wayland" session at the desktop display manager ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)). +Fortunately, common environments such as [GNOME](https://www.gnome.org), [KDE](https://kde.org), and the window manager [Sway](https://swaywm.org) have support for Wayland. Some distributions like Fedora and Tumbleweed use it by default and some others may do so in the future as X11 is in [hard maintenance mode](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). If you’re using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)). We recommend **against** using desktop environments or window managers that do not have Wayland support such as Cinnamon (default on Linux Mint), Pantheon (default on Elementary OS), MATE, XFCE, and i3. ### Proprietary firmware (microcode updates) -Linux distributions such as those which are [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) or DIY (Arch Linux) don't come with the proprietary [microcode](https://en.wikipedia.org/wiki/Microcode) updates. Some notable examples of these vulnerabilities include [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), and other [hardware vulnerabilities](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html). + +Linux distributions such as those which are [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) or DIY (Arch Linux) don’t come with the proprietary [microcode](https://en.wikipedia.org/wiki/Microcode) updates. Some notable examples of these vulnerabilities include [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), and other [hardware vulnerabilities](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html). We **highly recommend** that you install the microcode updates, as your CPU is already running the proprietary microcode from the factory. Fedora and openSUSE both have the microcode updates applied by default. ## Privacy tweaks + ### MAC address randomization + Many desktop Linux distributions (Fedora, openSUSE etc) will come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), to configure Ethernet and Wi-Fi settings. -It is possible to [randomize](https://fedoramagazine.org/randomize-mac-address-nm/) the [MAC address](https://en.wikipedia.org/wiki/MAC_address) when using NetworkManager. This provides a bit more privacy on Wi-Fi networks as it makes it harder to track specific devices on the network you're connected to. It does [**not**](https://papers.mathyvanhoef.com/wisec2016.pdf) make you anonymous. +It is possible to [randomize](https://fedoramagazine.org/randomize-mac-address-nm/) the [MAC address](https://en.wikipedia.org/wiki/MAC_address) when using NetworkManager. This provides a bit more privacy on Wi-Fi networks as it makes it harder to track specific devices on the network you’re connected to. It does [**not**](https://papers.mathyvanhoef.com/wisec2016.pdf) make you anonymous. We recommend changing the setting to **random** instead of **stable**, as suggested in the [article](https://fedoramagazine.org/randomize-mac-address-nm/). If you are using [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components), you will need to set [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) which will enable [RFC 7844 (Anonymity Profiles for DHCP Clients)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=). -There isn't much point in randomizing the MAC address for Ethernet connections as a system administrator can find you by looking at the port you are using on the [network switch](https://en.wikipedia.org/wiki/Network_switch). Randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi's firmware. +There isn’t much point in randomizing the MAC address for Ethernet connections as a system administrator can find you by looking at the port you are using on the [network switch](https://en.wikipedia.org/wiki/Network_switch). Randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi’s firmware. ### Other identifiers -There are other system [identifiers](https://madaidans-insecurities.github.io/guides/linux-hardening.html#identifiers) which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](/threat-modeling): - * [10.1 Hostnames and usernames](https://madaidans-insecurities.github.io/guides/linux-hardening.html#hostnames) - * [10.2 Time zones / Locales / Keymaps](https://madaidans-insecurities.github.io/guides/linux-hardening.html#timezones-locales-keymaps) - * [10.3 Machine ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id) +There are other system [identifiers](https://madaidans-insecurities.github.io/guides/linux-hardening.html#identifiers) which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](https://privacyguides.org/threat-modeling): + +- [10.1 Hostnames and usernames](https://madaidans-insecurities.github.io/guides/linux-hardening.html#hostnames) +- [10.2 Time zones / Locales / Keymaps](https://madaidans-insecurities.github.io/guides/linux-hardening.html#timezones-locales-keymaps) +- [10.3 Machine ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id) ### System counting + The Fedora Project [counts](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) how many unique systems access its mirrors by using a [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) variable instead of a unique ID. Fedora does this to determine load and provision better servers for updates where necessary. This [option](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) is currently off by default. We recommend adding `countme=false` to `/etc/dnf/dnf.conf` just in case it is enabled in the future. On systems that use `rpm-ostree` such as Silverblue, the countme option is disabled by masking the [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) timer. @@ -153,68 +254,75 @@ This [option](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-bot openSUSE also uses a [unique ID](https://en.opensuse.org/openSUSE:Statistics) to count systems, which can be disabled by deleting the `/var/lib/zypp/AnonymousUniqueId` file. ## Sandboxing and Application confinement + Some sandboxing solutions for desktop Linux distributions do exist, however they are not as strict as those found in MacOS or ChromeOS. Applications installed from the package manager (`dnf`, `apt`, etc.) typically have **no** sandboxing or confinement whatsoever. Below are a few projects that aim to solve this problem: ### Flatpak -[Flatpak](https://flatpak.org) aims to be a universal package manager for Linux. One of its main goals is to provide a universal package format which can be used in most Linux distributions. It provides some [permission control](https://docs.flatpak.org/en/latest/sandbox-permissions.html). Madaidan [points out](https://madaidans-insecurities.github.io/linux.html#flatpak) that Flatpak sandboxing could be improved as particular Flatpaks often have greater permission than required. -There does seem to be [some agreement](https://theevilskeleton.gitlab.io/2021/02/11/response-to-flatkill-org.html) that this is the case. + +[Flatpak](https://flatpak.org) aims to be a universal package manager for Linux. One of its main goals is to provide a universal package format which can be used in most Linux distributions. It provides some [permission control](https://docs.flatpak.org/en/latest/sandbox-permissions.html). Madaidan [points out](https://madaidans-insecurities.github.io/linux.html#flatpak) that Flatpak sandboxing could be improved as particular Flatpaks often have greater permission than required. There does seem to be [some agreement](https://theevilskeleton.gitlab.io/2021/02/11/response-to-flatkill-org.html) that this is the case. Users can restrict applications further by issuing [Flatpak overrides](https://docs.flatpak.org/en/latest/flatpak-command-reference.html#flatpak-override). This can be done with the command-line or by using [Flatseal](https://flathub.org/apps/details/com.github.tchx84.Flatseal). Some sample overrides are provided by [tommytran732](https://github.com/tommytran732/Flatpak-Overrides) and [rusty-snake](https://github.com/rusty-snake/kyst/tree/main/flatpak). We generally recommend revoking access to: -* the Network (`share=network`) socket (internet access) -* the PulseAudio socket (for both audio in and out), `device=all` (access to all devices including the camera) -* `org.freedesktop.secrets` dbus (access to secrets stored on your keychain) for applications which do not need it +- the Network (`share=network`) socket (internet access) +- the PulseAudio socket (for both audio in and out), `device=all` (access to all devices including the camera) +- `org.freedesktop.secrets` dbus (access to secrets stored on your keychain) for applications which do not need it -If an application works natively with Wayland (and not running through the [XWayland](https://wayland.freedesktop.org/xserver.html) compatibility layer), consider revoking its access to the X11 (`socket=x11`) and [Inter-process communications (IPC)](https://en.wikipedia.org/wiki/Unix_domain_socket) socket (`share=ipc`) as well. +If an application works natively with Wayland (and not running through the [XWayland](https://wayland.freedesktop.org/xserver.html) compatibility layer), consider revoking its access to the X11 (`socket=x11`) and [Inter-process communications (IPC)](https://en.wikipedia.org/wiki/Unix_domain_socket) socket (`share=ipc`) as well. We also recommend restricting broad filesystem permissions such as `filesystem=home` and `filesystem=host` which should be revoked and replaced with just the directories that the app needs to access. Some applications like [VLC](https://www.flathub.org/apps/details/org.videolan.VLC) implement the [Portals](https://docs.flatpak.org/en/latest/portal-api-reference.html) [API](https://en.wikipedia.org/wiki/API), which allows a file manager to pass files to the Flatpak application (e.g. VLC) without direct filesystem access privileges. Security is increased because VLC is only able to access the specific file that the user wants to open, rather than any file at any time the application is open. Hard-coded access to some kernel interfaces like [`/sys`](https://en.wikipedia.org/wiki/Sysfs) and [`/proc`](https://en.wikipedia.org/wiki/Procfs#Linux) and weak [seccomp](https://en.wikipedia.org/wiki/Seccomp) filters unfortunately cannot be secured by the user with Flatpak. ### Firejail + [Firejail](https://firejail.wordpress.com/) is another method of sandboxing. As it is a large [setuid](https://en.wikipedia.org/wiki/Setuid) binary, it has a large [attack surface](https://en.wikipedia.org/wiki/Attack_surface) which may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation). -The main risk is that Firejail may make the system safer from processes confined by it, but make it also less safe from processes running outside of Firejail. We [don't recommend](https://madaidans-insecurities.github.io/linux.html#firejail) the use of Firejail. +The main risk is that Firejail may make the system safer from processes confined by it, but make it also less safe from processes running outside of Firejail. We [don’t recommend](https://madaidans-insecurities.github.io/linux.html#firejail) the use of Firejail. ### Mandatory Access Control + [Mandatory access control](https://en.wikipedia.org/wiki/Mandatory_access_control) systems require policy files in order to force constraints on the system. The two main control systems are [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux) (used on Android and Fedora) and [AppArmor](https://en.wikipedia.org/wiki/AppArmor). -Fedora includes SELinux preconfigured with some policies that will confine [system daemons](https://en.wikipedia.org/wiki/Daemon_(computing)) (background processes). We don't recommend disabling SELinux. +Fedora includes SELinux preconfigured with some policies that will confine [system daemons](https://en.wikipedia.org/wiki/Daemon_(computing)) (background processes). We don’t recommend disabling SELinux. -openSUSE gives the choice of AppArmor or SELinux during the installation process. We recommend sticking to the default for each variant (AppArmor for [Tumbleweed](https://get.opensuse.org/tumbleweed/) and SELinux for [MicroOS](https://microos.opensuse.org/)). openSUSE's SELinux policies are derived from Fedora. +openSUSE gives the choice of AppArmor or SELinux during the installation process. We recommend sticking to the default for each variant (AppArmor for [Tumbleweed](https://get.opensuse.org/tumbleweed/) and SELinux for [MicroOS](https://microos.opensuse.org/)). openSUSE’s SELinux policies are derived from Fedora. Arch and Arch-based operating systems often do not come with a mandatory access control system and that must be configured manually for either [AppArmor](https://wiki.archlinux.org/title/AppArmor) or [SELinux](https://wiki.archlinux.org/title/SELinux). ### Making your own policies/profiles -For advanced users, you can make your own AppArmor profiles, SELinux policies, Bubblewrap profiles, and [seccomp](https://en.wikipedia.org/wiki/Seccomp) blacklist to have better confinement of applications. This is quite a tedious and complicated task so we won't go into detail about how to do it here, but we do have a few projects that you could use as reference. - * Whonix's [AppArmor Everything](https://github.com/Whonix/apparmor-profile-everything) - * Krathalan's [AppArmor profiles](https://github.com/krathalan/apparmor-profiles) - * noatsecure's [SELinux templates](https://github.com/noatsecure/hardhat-selinux-templates) - * Seirdy's [Bubblewrap scripts](https://sr.ht/~seirdy/bwrap-scripts) +For advanced users, you can make your own AppArmor profiles, SELinux policies, Bubblewrap profiles, and [seccomp](https://en.wikipedia.org/wiki/Seccomp) blacklist to have better confinement of applications. This is quite a tedious and complicated task so we won’t go into detail about how to do it here, but we do have a few projects that you could use as reference. + +- Whonix’s [AppArmor Everything](https://github.com/Whonix/apparmor-profile-everything) +- Krathalan’s [AppArmor profiles](https://github.com/krathalan/apparmor-profiles) +- noatsecure’s [SELinux templates](https://github.com/noatsecure/hardhat-selinux-templates) +- Seirdy’s [Bubblewrap scripts](https://sr.ht/~seirdy/bwrap-scripts) ### Securing Linux containers -If you're running a server you may have heard of Linux Containers, Docker, or Podman which refer to a kind of [OS-level virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization). Containers are more common in server and development environments where individual apps are built to operate independently. -[Docker](https://en.wikipedia.org/wiki/Docker_(software)) is one of the most common container solutions. It does not run a proper sandbox, and this means that there is a large kernel [attack surface](https://en.wikipedia.org/wiki/Attack_surface). The [daemon](https://en.wikipedia.org/wiki/Daemon_(computing)) controls everything and [typically](https://docs.docker.com/engine/security/rootless/#known-limitations) runs as root. If it crashes for some reason, all the containers will crash too. The [gVisor](https://en.wikipedia.org/wiki/GVisor) runtime which implements an application level kernel can help limit the number of [syscalls](https://en.wikipedia.org/wiki/System_call) an application can make and can help isolate it from the host's [kernel](https://en.wikipedia.org/wiki/Kernel_(operating_system)). +If you’re running a server you may have heard of Linux Containers, Docker, or Podman which refer to a kind of [OS-level virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization). Containers are more common in server and development environments where individual apps are built to operate independently. -Red Hat develops [Podman](https://docs.podman.io/en/latest/) and secures it with SELinux to [isolate](https://www.redhat.com/sysadmin/apparmor-selinux-isolation) containers from each other. One of the notable differences between Docker and Podman is that Docker requires [root](https://en.wikipedia.org/wiki/Superuser) while Podman can run with [rootless containers](https://developers.redhat.com/blog/2020/09/25/rootless-containers-with-podman-the-basics) that are also [daemonless](https://developers.redhat.com/blog/2018/08/29/intro-to-podman), meaning if one crashes they don't all come down. +[Docker](https://en.wikipedia.org/wiki/Docker_(software)) is one of the most common container solutions. It does not run a proper sandbox, and this means that there is a large kernel [attack surface](https://en.wikipedia.org/wiki/Attack_surface). The [daemon](https://en.wikipedia.org/wiki/Daemon_(computing)) controls everything and [typically](https://docs.docker.com/engine/security/rootless/#known-limitations) runs as root. If it crashes for some reason, all the containers will crash too. The [gVisor](https://en.wikipedia.org/wiki/GVisor) runtime which implements an application level kernel can help limit the number of [syscalls](https://en.wikipedia.org/wiki/System_call) an application can make and can help isolate it from the host’s [kernel](https://en.wikipedia.org/wiki/Kernel_(operating_system)). + +Red Hat develops [Podman](https://docs.podman.io/en/latest/) and secures it with SELinux to [isolate](https://www.redhat.com/sysadmin/apparmor-selinux-isolation) containers from each other. One of the notable differences between Docker and Podman is that Docker requires [root](https://en.wikipedia.org/wiki/Superuser) while Podman can run with [rootless containers](https://developers.redhat.com/blog/2020/09/25/rootless-containers-with-podman-the-basics) that are also [daemonless](https://developers.redhat.com/blog/2018/08/29/intro-to-podman), meaning if one crashes they don’t all come down. Another option is [Kata containers](https://katacontainers.io/), where virtual machines masquerade as containers. Each Kata container has its own Linux kernel and is isolated from the host. These container technologies can be useful even for enthusiastic home users who may want to run certain web app software on their local area network (LAN) such as [vaultwarden](https://github.com/dani-garcia/vaultwarden) or images provided by [linuxserver.io](https://www.linuxserver.io) to increase privacy by decreasing dependence on various web services. ## Additional hardening + ### Firewalls -A [firewall](https://en.wikipedia.org/wiki/Firewall_(computing)) may be used to secure connections to your system. If you're on a public network, the necessity of this may be greater than if you're on a local trusted network that you control. We would generally recommend that you block incoming connections only, unless you're using an application firewall such as [OpenSnitch](https://github.com/evilsocket/opensnitch) or [Portmaster](https://safing.io/portmaster/). + +A [firewall](https://en.wikipedia.org/wiki/Firewall_(computing)) may be used to secure connections to your system. If you’re on a public network, the necessity of this may be greater than if you’re on a local trusted network that you control. We would generally recommend that you block incoming connections only, unless you’re using an application firewall such as [OpenSnitch](https://github.com/evilsocket/opensnitch) or [Portmaster](https://safing.io/portmaster/). Red Hat distributions (such as Fedora) are typically configured through [firewalld](https://en.wikipedia.org/wiki/Firewalld). Red Hat has plenty of [documentation](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/using-and-configuring-firewalld_configuring-and-managing-networking) regarding this topic. There is also the [Uncomplicated Firewall](https://en.wikipedia.org/wiki/Uncomplicated_Firewall) which can be used as an alternative. -Consider blocking all ports which are **not** [well known](https://en.wikipedia.org/wiki/Well-known_port#Well-known_ports) or "privileged ports". That is, ports from 1025 up to 65535. Block both [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) and [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) after the operating system is installed. +Consider blocking all ports which are **not** [well known](https://en.wikipedia.org/wiki/Well-known_port#Well-known_ports) or “privileged ports”. That is, ports from 1025 up to 65535. Block both [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) and [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) after the operating system is installed. If you use Fedora, consider removing the whitelist for for [smb](https://en.wikipedia.org/wiki/Server_Message_Block)-client and [mdns](https://en.wikipedia.org/wiki/Multicast_DNS) services if you do not use them. @@ -225,65 +333,76 @@ If you are using Flatpak packages, you can revoke their network socket access us If you are using non-classic [Snap](https://en.wikipedia.org/wiki/Snap_(package_manager)) packages on a system with proper snap confinement support (with both AppArmor and [CGroupsv1](https://en.wikipedia.org/wiki/Cgroups) present), you can use the Snap Store to revoke network permission as well. This is also not bypassable. ### Kernel hardening -There are some additional kernel hardening options such as configuring [sysctl](https://en.wikipedia.org/wiki/Sysctl#Linux) keys and [kernel command-line parameters](https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html) which are described in the following pages. We don't recommend you change these options unless you learn about what they do. -* [2.2 Sysctl](https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl) -* [2.3 Boot parameters](https://madaidans-insecurities.github.io/guides/linux-hardening.html#boot-parameters) -* [2.5 Kernel attack surface reduction](https://madaidans-insecurities.github.io/guides/linux-hardening.html#kernel-attack-surface-reduction) +There are some additional kernel hardening options such as configuring [sysctl](https://en.wikipedia.org/wiki/Sysctl#Linux) keys and [kernel command-line parameters](https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html) which are described in the following pages. We don’t recommend you change these options unless you learn about what they do. + +- [2.2 Sysctl](https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl) +- [2.3 Boot parameters](https://madaidans-insecurities.github.io/guides/linux-hardening.html#boot-parameters) +- [2.5 Kernel attack surface reduction](https://madaidans-insecurities.github.io/guides/linux-hardening.html#kernel-attack-surface-reduction) Note that setting `kernel.unprivileged_userns_clone=0` will stop Flatpak, Snap (that depend on browser-sandbox), Electron based AppImages, Podman, Docker, and LXC containers from working. Do **not** set this flag if you are using container products. ### Linux-Hardened -Some distributions like Arch Linux have the [linux-hardened](https://github.com/anthraxx/linux-hardened), kernel package. It includes [hardening patches](https://wiki.archlinux.org/title/security#Kernel_hardening) and more security-conscious defaults. Linux-Hardened has `kernel.unprivileged_userns_clone=0` disabled by default. See the [warning above](/linux-desktop/#kernel-hardening) about how this might impact you. + +Some distributions like Arch Linux have the [linux-hardened](https://github.com/anthraxx/linux-hardened), kernel package. It includes [hardening patches](https://wiki.archlinux.org/title/security#Kernel_hardening) and more security-conscious defaults. Linux-Hardened has `kernel.unprivileged_userns_clone=0` disabled by default. See the [warning above](https://privacyguides.org/linux-desktop/#kernel-hardening) about how this might impact you. ### Simultaneous multithreading (SMT) -[SMT](https://en.wikipedia.org/wiki/Simultaneous_multithreading) has been the cause of numerous hardware vulnerabilities, and subsequent patches for those vulnerabilities often come with performance penalties that negate most of the performance gain given by SMT. If you followed the "kernel hardening" section above, some kernel parameters already disable SMT. If the option is available to you, we recommend that you disable it in your firmware as well. + +[SMT](https://en.wikipedia.org/wiki/Simultaneous_multithreading) has been the cause of numerous hardware vulnerabilities, and subsequent patches for those vulnerabilities often come with performance penalties that negate most of the performance gain given by SMT. If you followed the “kernel hardening” section above, some kernel parameters already disable SMT. If the option is available to you, we recommend that you disable it in your firmware as well. ### Hardened memory allocator + The [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc) from [GrapheneOS](https://grapheneos.org) can be used on Linux distributions. It is available by default on Whonix and is available as an [AUR package](https://wiki.archlinux.org/title/Security#Hardened_malloc) on Arch based distributions. If you are using the AUR package, consider setting up `LD_PRELOAD` as described in the [Arch Wiki](https://wiki.archlinux.org/title/Security#Hardened_malloc). ### Umask + If you are not using openSUSE, consider changing the default [umask](https://en.wikipedia.org/wiki/Umask) for both regular users and root to 077. Changing umask to 077 can break snapper on openSUSE and is **not** recommended. ### Mountpoint hardening + Consider adding the [following options](https://man7.org/linux/man-pages/man8/mount.8.html) `nodev`, `noexec`, and `nosuid` to [mountpoints](https://en.wikipedia.org/wiki/Mount_(computing)) which do not need them. Typically, these could be applied to `/boot`, `/boot/efi`, `/home`, `/root`, and `/var`. If you use [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/), `/var/log/journal` must not have any of those options. If you are on Arch Linux, do not apply `noexec` to `/var/tmp`. ### Linux Pluggable Authentication Modules (PAM) + There is also further hardening to [PAM](https://en.wikipedia.org/wiki/Linux_PAM) to secure authentication to your system. [14. PAM](https://madaidans-insecurities.github.io/guides/linux-hardening.html#pam) has some tips on this. On Red Hat distributions you can use [`authselect`](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_authentication_and_authorization_in_rhel/configuring-user-authentication-using-authselect_configuring-authentication-and-authorization-in-rhel) to configure this e.g.: -
+```
 sudo authselect select  with-faillock without-nullok with-pamaccess
-
+``` On systems where [`pam_faillock`](https://man7.org/linux/man-pages/man8/pam_tally.8.html) is not available, consider using [`pam_tally2`](https://man7.org/linux/man-pages/man8/pam_tally.8.html) instead. ### USB port protection + To better protect your [USB](https://en.wikipedia.org/wiki/USB) ports from attacks such as [BadUSB](https://en.wikipedia.org/wiki/BadUSB) we recommend [USBGuard](https://github.com/USBGuard/usbguard). USBGuard has [documentation](https://github.com/USBGuard/usbguard#documentation) as does the [Arch Wiki](https://wiki.archlinux.org/title/USBGuard). -Another alternative option if you're using the [linux-hardened](/linux-desktop/#linux-hardened) is the [`deny_new_usb`](https://github.com/GrapheneOS/linux-hardened/commit/96dc427ab60d28129b36362e1577b6673b0ba5c4) sysctl. See [Preventing USB Attacks with `linux-hardened`](https://blog.lizzie.io/preventing-usb-attacks-with-linux-hardened.html). +Another alternative option if you’re using the [linux-hardened](https://privacyguides.org/linux-desktop/#linux-hardened) is the [`deny_new_usb`](https://github.com/GrapheneOS/linux-hardened/commit/96dc427ab60d28129b36362e1577b6673b0ba5c4) sysctl. See [Preventing USB Attacks with `linux-hardened`](https://blog.lizzie.io/preventing-usb-attacks-with-linux-hardened.html). ### Secure Boot + [Secure Boot](https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#Secure_Boot) can be used to secure the boot process by preventing the loading of [unsigned](https://en.wikipedia.org/wiki/Public-key_cryptography) [UEFI](https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface) drivers or [boot loaders](https://en.wikipedia.org/wiki/Bootloader). Some guidance for this is provided in [21. Physical security](https://madaidans-insecurities.github.io/guides/linux-hardening.html#physical-security) and [21.4 Verified boot](https://madaidans-insecurities.github.io/guides/linux-hardening.html#verified-boot). For further resources on Secure Boot we suggest taking a look at the following for instructional advice: - * The Archwiki's [Secure Boot](https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot) article. There are two main methods, the first is to use a [shim](https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#shim), the second more complete way is to [use your own keys](https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Using_your_own_keys). + +- The Archwiki’s [Secure Boot](https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot) article. There are two main methods, the first is to use a [shim](https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#shim), the second more complete way is to [use your own keys](https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Using_your_own_keys). For background of how Secure Boot works on Linux: - * [The Strange State of Authenticated Boot and Disk Encryption on Generic Linux Distributions](https://0pointer.net/blog/authenticated-boot-and-disk-encryption-on-linux.html) - * [Rod Smith's Managing EFI Boot Loaders for Linux](https://www.rodsbooks.com/efi-bootloaders/) - * [Dealing with Secure Boot](https://www.rodsbooks.com/efi-bootloaders/secureboot.html) - * [Controlling Secure Boot](https://www.rodsbooks.com/efi-bootloaders/controlling-sb.html) -One of the problems with Secure Boot particularly on Linux is that only the [chainloader](https://en.wikipedia.org/wiki/Chain_loading#Chain_loading_in_boot_manager_programs) (shim), the [boot loader](https://en.wikipedia.org/wiki/Bootloader) (GRUB), and the [kernel](https://en.wikipedia.org/wiki/Kernel_(operating_system)) are verified and that's where verification stops. The [initramfs](https://en.wikipedia.org/wiki/Initial_ramdisk) is often left unverified, unencrypted, and open up the window for an [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attack. There are a few things that can be done to reduce risk such as: +- [The Strange State of Authenticated Boot and Disk Encryption on Generic Linux Distributions](https://0pointer.net/blog/authenticated-boot-and-disk-encryption-on-linux.html) +- [Rod Smith’s Managing EFI Boot Loaders for Linux](https://www.rodsbooks.com/efi-bootloaders/) +- [Dealing with Secure Boot](https://www.rodsbooks.com/efi-bootloaders/secureboot.html) +- [Controlling Secure Boot](https://www.rodsbooks.com/efi-bootloaders/controlling-sb.html) - * Creating an [EFI Boot Stub](https://docs.kernel.org/admin-guide/efi-stub.html) that contains the [kernel](https://en.wikipedia.org/wiki/Kernel_(operating_system)), [initramfs](https://en.wikipedia.org/wiki/Initial_ramdisk) and [microcode](https://en.wikipedia.org/wiki/Microcode). This EFI stub can then be signed. If you use [dracut](https://en.wikipedia.org/wiki/Dracut_(software)) this can easily be done with the [`--uefi-stub` switch](https://man7.org/linux/man-pages/man8/dracut.8.html) or the [`uefi_stub` config](https://www.man7.org/linux/man-pages/man5/dracut.conf.5.html) option. - * [Encrypting the boot partition](https://wiki.archlinux.org/title/GRUB#Encrypted_/boot). However, this has its own issues, the first being that [GRUB](https://en.wikipedia.org/wiki/GNU_GRUB) only supports [LUKS1](https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup) and not the newer default LUKS2 scheme. As the bootloader runs in [protected mode](https://en.wikipedia.org/wiki/Protected_mode) and the encryption module lacks [SSE acceleration](https://en.wikipedia.org/wiki/Streaming_SIMD_Extensions) the boot process will take minutes to complete. - * Using [TPM](https://en.wikipedia.org/wiki/Trusted_Platform_Module) to perform a [measured boot](https://www.krose.org/~krose/measured_boot). +One of the problems with Secure Boot particularly on Linux is that only the [chainloader](https://en.wikipedia.org/wiki/Chain_loading#Chain_loading_in_boot_manager_programs) (shim), the [boot loader](https://en.wikipedia.org/wiki/Bootloader) (GRUB), and the [kernel](https://en.wikipedia.org/wiki/Kernel_(operating_system)) are verified and that’s where verification stops. The [initramfs](https://en.wikipedia.org/wiki/Initial_ramdisk) is often left unverified, unencrypted, and open up the window for an [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attack. There are a few things that can be done to reduce risk such as: -After setting up Secure Boot it is crucial that you set a "firmware password" (also called a "supervisor password, "BIOS password" or "UEFI password"), otherwise an adversary can simply disable Secure Boot. +- Creating an [EFI Boot Stub](https://docs.kernel.org/admin-guide/efi-stub.html) that contains the [kernel](https://en.wikipedia.org/wiki/Kernel_(operating_system)), [initramfs](https://en.wikipedia.org/wiki/Initial_ramdisk) and [microcode](https://en.wikipedia.org/wiki/Microcode). This EFI stub can then be signed. If you use [dracut](https://en.wikipedia.org/wiki/Dracut_(software)) this can easily be done with the [`--uefi-stub` switch](https://man7.org/linux/man-pages/man8/dracut.8.html) or the [`uefi_stub` config](https://www.man7.org/linux/man-pages/man5/dracut.conf.5.html) option. +- [Encrypting the boot partition](https://wiki.archlinux.org/title/GRUB#Encrypted_/boot). However, this has its own issues, the first being that [GRUB](https://en.wikipedia.org/wiki/GNU_GRUB) only supports [LUKS1](https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup) and not the newer default LUKS2 scheme. As the bootloader runs in [protected mode](https://en.wikipedia.org/wiki/Protected_mode) and the encryption module lacks [SSE acceleration](https://en.wikipedia.org/wiki/Streaming_SIMD_Extensions) the boot process will take minutes to complete. +- Using [TPM](https://en.wikipedia.org/wiki/Trusted_Platform_Module) to perform a [measured boot](https://www.krose.org/~krose/measured_boot). + +After setting up Secure Boot it is crucial that you set a “firmware password” (also called a “supervisor password, “BIOS password” or “UEFI password”), otherwise an adversary can simply disable Secure Boot. These recommendations can make you a little more resistant to [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attacks, but they not good as a proper verified boot process such as that found on [Android](https://source.android.com/security/verifiedboot), [ChromeOS](https://support.google.com/chromebook/answer/3438631) or [Windows](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process). diff --git a/docs/metadata-removal-tools.md b/docs/metadata-removal-tools.md new file mode 100644 index 00000000..9a2b3b59 --- /dev/null +++ b/docs/metadata-removal-tools.md @@ -0,0 +1,111 @@ +--- +title: Metadata Removal Tools +icon: material/tag-remove +--- +When sharing files, be sure to remove associated metadata. Image files commonly include [EXIF](https://en.wikipedia.org/wiki/Exif) data. Photos sometimes even include [GPS](https://en.wikipedia.org/wiki/Global_Positioning_System) coordinates in the file metadata. + +## Desktop + +### MAT2 +!!! recommendation + + ![MAT2 logo](/assets/img/metadata-removal/mat2.svg){ align=right } + + **MAT2** is free software, which allows the metadata to be removed from image, audio, torrent, and document file types. It provides both a command line tool and a graphical user interface via an [extension for Nautilus](https://0xacab.org/jvoisin/mat2/-/tree/master/nautilus), the default file manager of [GNOME](https://www.gnome.org), and [Dolphin](https://0xacab.org/jvoisin/mat2/-/tree/master/dolphin), the default file manager of [KDE](https://kde.org). + + For Linux users, a third party graphical tool [Metadata Cleaner](https://gitlab.com/rmnvgr/metadata-cleaner) powered by MAT2 exists and is [available on Flathub](https://flathub.org/apps/details/fr.romainvigier.MetadataCleaner). + + [Visit 0xacab.org](https://0xacab.org/jvoisin/mat2){ .md-button .md-button--primary } + + **Downloads** + - [:fontawesome-brands-windows: Windows](https://pypi.org/project/mat2) + - [:fontawesome-brands-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) + - [:fontawesome-brands-linux: Linux](https://pypi.org/project/mat2) + - [:fontawesome-solid-earth-americas: Web](https://0xacab.org/jvoisin/mat2#web-interface) + - [:fontawesome-brands-gitlab: Source](https://0xacab.org/jvoisin/mat2) + +### ExifCleaner +!!! recommendation + + ![ExifCleaner logo](/assets/img/metadata-removal/exifcleaner.svg){ align=right } + + **ExifCleaner** is a freeware, open source graphical app that uses [ExifTool](https://exiftool.org) to remove [EXIF](https://en.wikipedia.org/wiki/Exif) metadata from images, videos, and PDF documents using a simple drag and drop interface. It supports multi-core batch processing and dark mode. + + [Visit exifcleaner.com](https://exifcleaner.com){ .md-button .md-button--primary } [Privacy Policy](https://bitwarden.com/privacy){ .md-button } + + **Downloads** + - [:fontawesome-brands-windows: Windows](https://github.com/szTheory/exifcleaner/releases) + - [:fontawesome-brands-apple: macOS](https://github.com/szTheory/exifcleaner/releases) + - [:fontawesome-brands-linux: Linux](https://github.com/szTheory/exifcleaner/releases) + - [:fontawesome-brands-github: Source](https://github.com/szTheory/exifcleaner) + +## Mobile + +### Scrambled Exif +!!! recommendation + + ![Scrambled Exif logo](/assets/img/metadata-removal/scrambled-exif.svg){ align=right } + + **Scrambled Exif** is a metadata removal tool for Android. It can remove [EXIF](https://en.wikipedia.org/wiki/Exif) data for many file formats and has been translated into [many](https://gitlab.com/juanitobananas/scrambled-exif/-/tree/master/app/src/main/res) languages. + + [Visit gitlab.com](https://gitlab.com/juanitobananas/scrambled-exif){ .md-button .md-button--primary } + + **Downloads** + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.jarsilio.android.scrambledeggsif) + - [:pg-f-droid: F-Droid](https://f-droid.org/en/packages/com.jarsilio.android.scrambledeggsif) + - [:fontawesome-brands-gitlab: Source](https://gitlab.com/juanitobananas/scrambled-exif) + +### Imagepipe +!!! recommendation + + ![Imagepipe logo](/assets/img/metadata-removal/imagepipe.svg){ align=right } + + **Imagepipe** is a a paint app for Android that can be used to redact photos and also delete [EXIF](https://en.wikipedia.org/wiki/Exif) metadata. It has been translated into [many](https://codeberg.org/Starfish/Imagepipe#translations) languages. + + !!! info + Imagepipe is only available from F-Droid and not in Google Play. If you're looking for a paint app in Google Play we suggest [Pocket Paint](https://play.google.com/store/apps/details?id=org.catrobat.paintroid). + + [Visit codeberg.org](https://codeberg.org/Starfish/Imagepipe){ .md-button .md-button--primary } + + **Downloads** + - [:pg-f-droid: F-Droid](https://f-droid.org/en/packages/com.jarsilio.android.scrambledeggsif) + - [:fontawesome-brands-git: Source](https://codeberg.org/Starfish/Imagepipe) + +### Metapho +!!! recommendation + + ![Metapho logo](/assets/img/metadata-removal/metapho.jpg){ align=right } + + Metapho is a simple and clean viewer for photo metadata such as date, file name, size, camera model, shutter speed, and location. + + !!! attention + Metapho is closed source. We recommend it, due to the few choices there are for iOS devices. + + [Visit zininworks.com)](https://zininworks.com/metapho){ .md-button .md-button--primary } [Privacy Policy](https://zininworks.com/privacy/){ .md-button } + + **Downloads** + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/metapho/id914457352) + +## Command-line +### Exiftool +!!! recommendation + + ![Exiftool logo](/assets/img/metadata-removal/exiftool.png){ align=right } + + **Exiftool** is the [original](https://en.wikipedia.org/wiki/ExifTool) perl library and command-line application for reading, writing, and editing meta information (EXIF, IPTC, XMP, and more) in a wide variety of file formats (JPEG, TIFF, PNG, PDF, RAW, and more). + + It's often a component of other EXIF removal applications and is in most Linux distribution repositories. + + To delete data from a directory of files: + ``` + exiftool -all= *.file_extension + ``` + + [Visit exiftool.org](https://exiftool.org){ .md-button .md-button--primary } + + **Downloads** + - [:fontawesome-brands-windows: Windows](https://exiftool.org) + - [:fontawesome-brands-apple: macOS](https://exiftool.org) + - [:fontawesome-brands-linux: Linux](https://exiftool.org) + - [:fontawesome-brands-git: Source](https://sourceforge.net/projects/exiftool) + - [:fontawesome-brands-github: Source](https://github.com/exiftool/exiftool) diff --git a/docs/multi-factor-authentication.md b/docs/multi-factor-authentication.md new file mode 100644 index 00000000..25aea64e --- /dev/null +++ b/docs/multi-factor-authentication.md @@ -0,0 +1,84 @@ +--- +title: Multi-factor Authentication +description: "Using strong MFA can stop over 99% of unauthorized account accesses, and it's easy to set up on the services you already use." +icon: 'material/two-factor-authentication' +--- + +**Two-Factor Authentication** (also known as **2FA**, **Multi-Factor Authentication**, or **MFA**) is a security mechanism that requires additional steps beyond simply your username/email and password. If you've ever had to enter a 6-digit code sent to your phone to log in to a website, that's an example of 2FA. + +The idea behind 2FA is that even if a hacker is able to figure out your password (something you *know*), they will still need a device you own like your phone (something you *have*) in order to generate the code needed to log in to your account. 2FA methods vary in security based on this premise: The more difficult it is for an attacker to gain access to your 2FA method, the better. Examples of 2FA methods from strongest to weakest are Email or SMS codes, Push Notifications, Software (TOTP) Code-Generating Apps, and Hardware Keys. + +## MFA Method Comparison + +==**SMS Codes** or Emailed Codes are better than nothing at all, but only marginally.== Getting a code over SMS or Email takes away from the "something you *have*" idea, because there are a variety of ways a hacker could take over your phone number or gain access to your emails without having physical access to any of your devices at all! + +**Push Notifications** take the form of a message being sent to an app on your phone asking you to confirm new account logins. This is a lot better than SMS or Email, since an attacker typically wouldn't be able to get these push notifications without having an already logged-in device, thus requiring physical access to your device. However, they can be easy to click through and accept accidentally, and are typically sent to *all* your devices at once, widening the availability of the 2FA code if you have many devices. This solution is also generally a proprietary solution, so you are reliant on the company you have an account with to implement their custom solution securely rather than implementing an industry standard. Finally, it requires you to keep an app for every login you have on your mobile device, which may or may not be convenient to you. + +==If you want to take your security seriously, you should use a dedicated **Authenticator App** on your phone to generate these codes whenever possible.== These authenticator apps follow the same standard, allowing you to keep codes from many different companies in one place for ease-of-use. They also keep the codes securely stored (optionally requiring biometrics on your phone to access them), and make it difficult to duplicate the codes so they cannot be reproduced by a hacker later, even if they briefly had physical access to your phone. + +The ultimate form of multi-factor security are **hardware keys**. These are devices that implement a standard such as **FIDO2** or **U2F** that you need to physically attach to your computer to log in to your accounts. They come in a variety of form factors and connect in different ways, such as a USB stick you plug in to your computer, or a Bluetooth/NFC token you connect to your device wirelessly. Some newer computers and mobile devices even have built-in hardware keys! Hardware keys have secure cryptoprocessors (essentially an entire mini computer!) on them which stores and manages your encryption keys. Many of them have specific tamper-resistant mechanisms, but all of them are designed with the idea that they should be impossible to reproduce: The key you have will be the **only** way to gain access to your account. + +Ultimately, the best form of two-factor security is the one you will use consistently on every account you have, that doesn't significantly interfere with your life. If you need to log in to an account often or on many devices, a hardware key may prove to be too much of a burden for example. + +## Hardware Security Keys + +### YubiKey + +!!! recommendation + + ![YubiKeys](/assets/img/multi-factor-authentication/yubikey.png) + + The **Yuibkey** was one of the first security keys. It has a wide range of features such as for [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 WebAuthn](https://en.wikipedia.org/wiki/WebAuthn), PGP and One-Time-Pad (OTP) authentication. One of the benefits of this key is that one key can do everything. + + The firmware is not open source and cannot be updated without purchasing a new key. + + [Visit yubico.com](https://www.yubico.com){ .md-button .md-button--primary } [Privacy Policy](https://www.yubico.com/support/terms-conditions/privacy-notice){ .md-button } + +### NitroKey + +!!! recommendation + + ![NitroKey](/assets/img/multi-factor-authentication/nitrokey.jpg){ align=right } + + **NitroKey** has a security key capable of [FIDO2 WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**. + + The [comparison table](https://www.nitrokey.com/#comparison) shows the features and how the Nitrokeys compare. The Nitrokey 3 listed there will have a combined feature set. + + The Nitrokey has an open source firmware, unlike the Yuibkey. + + [Visit nitrokey.com](https://www.nitrokey.com){ .md-button .md-button--primary } [Privacy Policy](https://www.nitrokey.com/data-privacy-policy){ .md-button } + +## Authenticator Apps +==Generally speaking, TOTP software authenticator apps are going to be the best bet for most people.== They provide a significantly higher level of security than just SMS or Push Notifications, while remaining very convenient for most people who keep their phones with them at all times. + +Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret, or otherwise be able to predict what any future codes might be. + +### Aegis Authenticator + +!!! recommendation + + ![Aegis logo](/assets/img/multi-factor-authentication/aegis.png){ align=right } + + **Aegis Authenticator** is a free, secure and open source app to manage your 2-step verification tokens for your online services. + + [Visit getaegis.app](https://getaegis.app){ .md-button .md-button--primary } + +**Downloads:** + +- [:pg-f-droid: F-Droid](https://f-droid.org/en/packages/com.beemdevelopment.aegis) +- [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) +- [:fontawesome-brands-github: GitHub](https://github.com/beemdevelopment/Aegis) + +### Ravio OTP + +!!! recommendation + + ![Ravio OTP logo](/assets/img/multi-factor-authentication/ravio-otp.png){ align=right } + + **Ravio OTP** is a native, lightweight and secure time-based (TOTP) & counter-based (HOTP) password client built for iOS. + + [Visit website](https://github.com/raivo-otp/ios-application){ .md-button .md-button--primary } + +**Downloads:** + +- [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) diff --git a/docs/notebooks.md b/docs/notebooks.md new file mode 100644 index 00000000..60e22646 --- /dev/null +++ b/docs/notebooks.md @@ -0,0 +1,60 @@ +--- +title: Notebooks +icon: material/notebook-edit-outline +--- + +Keep track of your notes and journalings without giving them to a third party. + +If you are currently using an application like Evernote, Google Keep, or Microsoft OneNote, we suggest you pick an alternative here that supports [End-to-end encryption (E2EE)](https://en.wikipedia.org/wiki/End-to-end_encryption). + +## Cloud based + +### Joplin + +!!! recommendation + + ![Joplin logo](/assets/img/notebooks/joplin.svg){ align=right } + + **Joplin** is a free, open-source, and fully-featured note-taking and to-do application which can handle a large number of markdown notes organized into notebooks and tags. It offers end-to-end encryption and can sync through Nextcloud, Dropbox, and more. It also offers easy import from Evernote and plain-text notes. + + [Visit joplinapp.org](https://joplinapp.org/){ .md-button .md-button--primary } + + **Downloads** + - [:fontawesome-brands-windows: Windows](https://joplinapp.org/#desktop-applications) + - [:fontawesome-brands-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:fontawesome-brands-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:fontawesome-brands-firefox-browser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:fontawesome-brands-chrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:pg-f-droid: F-Droid](https://f-droid.org/en/packages/net.cozic.joplin) + - [:fontawesome-brands-android: Android](https://joplinapp.org/#mobile-applications) + - [:fontawesome-brands-github: GitHub](https://github.com/laurent22/joplin) + +!!! warning + + Note: As of Dec 2018, Joplin does not support password/pin protection for the application itself or individual notes/notebooks. Data is still encrypted in transit and at sync location using your master key. See [open issue](https://github.com/laurent22/joplin/issues/289). + +### Standard Notes + +!!! recommendation + + ![Standard Notes logo](/assets/img/notebooks/standard-notes.svg){ align=right } + + Standard Notes is a simple and private notes app that makes your notes easy and available everywhere you are. It features end-to-end encryption on every platform, and a powerful desktop experience with themes and custom editors. It has also been [independently audited (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). + + [Visit standardnotes.org](https://standardnotes.org/){ .md-button .md-button--primary } + + **Downloads** + - [:fontawesome-brands-windows: Windows](https://standardnotes.org/#get-started) + - [:fontawesome-brands-apple: macOS](https://standardnotes.org/#get-started) + - [:fontawesome-brands-linux: Linux](https://standardnotes.org/#get-started) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/app/id1285392450) + - [:octicons-browser-16: Browser](https://app.standardnotes.org/) + - [:fontawesome-brands-github: GitHub](https://github.com/standardnotes) + +## Worth Mentioning + +- [EteSync](https://www.etesync.com/) - Secure, end-to-end encrypted, and privacy respecting sync for your contacts, calendars, tasks and notes. +- [Paperwork](https://paperwork.cloud/) - An open-source and self-hosted solution. For PHP / MySQL servers. +- [Org-mode](https://orgmode.org) - A major mode for GNU Emacs. Org-mode is for keeping notes, maintaining TODO lists, planning projects, and authoring documents with a fast and effective plain-text system. diff --git a/docs/passwords.md b/docs/passwords.md new file mode 100644 index 00000000..8897a875 --- /dev/null +++ b/docs/passwords.md @@ -0,0 +1,156 @@ +--- +title: Password Managers +icon: material/form-textbox-password +--- +Stay safe and secure online with an encrypted and open-source password manager. + +## Password best practices +- Always use unique passwords. Don't make yourself a victim of "[credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing)". +- Store an exported backup of your passwords in an [encrypted container](/file-encryption) on another storage device. This can be useful if something happens to your device or the service you are using. +- If possible store [Time-based one-time password (TOTP)](https://en.wikipedia.org/wiki/Time-based_one-time_password) tokens in a separate [TOTP app](/multi-factor-authentication) and not your password manager. TOTP codes are generated from a "[shared secret](https://en.wikipedia.org/wiki/Time-based_one-time_password#Security)". If the secret is obtained by an adversary they can generate TOTP values. Typically, mobile platforms have better app isolation and more secure methods for storing sensitive credentials. + +## Local Password Managers +These password managers store the password database locally. + +### KeepassXC +!!! recommendation + + ![KeepassXC logo](/assets/img/password-management/keepassxc.svg){ align=right } + + **KeePassXC** is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, fully cross-platform and modern open-source password manager. + + !!! warning + KeepassXC stores its export data as [comma-separated values (CSV)](https://en.wikipedia.org/wiki/Comma-separated_values). This may mean data loss if you import this file into another password manager. We advise you check each record manually. + + [Visit keepassxc.org](https://keepassxc.org){ .md-button .md-button--primary } [Privacy Policy](https://keepassxc.org/privacy){ .md-button } + + **Downloads** + - [:fontawesome-brands-windows: Windows](https://keepassxc.org/download/#windows) + - [:fontawesome-brands-apple: macOS](https://keepassxc.org/download/#mac) + - [:fontawesome-brands-linux: Linux](https://keepassxc.org/download/#linux) + - [:fontawesome-brands-linux: Linux (Flatpak)](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:fontawesome-brands-firefox: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:fontawesome-brands-chrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + - [:fontawesome-brands-github: Source](https://github.com/keepassxreboot/keepassxc) + +### KeepassDX +!!! recommendation + + ![KeepassDX logo](/assets/img/password-management/keepassdx.svg){ align=right } + + **KeepassDX** is a modern password manager which by default stores its database locally and not in the cloud. The [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) package adds some extra features to the app. + + For more details, we recommend looking at their [FAQ](https://github.com/Kunzisoft/KeePassDX/wiki/FAQ). + + [Visit keepassdx.com](https://www.keepassdx.com){ .md-button .md-button--primary } + + **Downloads** + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) + - [:fontawesome-brands-app-store-ios: App Store](https://www.f-droid.org/packages/com.kunzisoft.keepass.libre) + - [:fontawesome-brands-github: Source](https://github.com/Kunzisoft/KeePassDX) + +## Cloud syncing Password Managers +These password managers sync up to a cloud server that may be self-hostable. + +### Bitwarden +!!! recommendation + + ![Bitwarden logo](/assets/img/password-management/bitwarden.svg){ align=right } + + **Bitwarden** is a free and open-source password manager. It aims to solve password management problems for individuals, teams, and business organizations. Bitwarden is among the easiest and safest solutions to store all of your logins and passwords while conveniently keeping them synced between all of your devices. If you don't want to use the Bitwarden cloud, you can easily host your own Bitwarden server. + + [Visit bitwarden.com](https://bitwarden.com){ .md-button .md-button--primary } [Privacy Policy](https://bitwarden.com/privacy){ .md-button } + + **Downloads** + - [:fontawesome-brands-windows: Windows](https://bitwarden.com/download) + - [:fontawesome-brands-apple: macOS](https://apps.apple.com/app/bitwarden/id1352778147) + - [:fontawesome-brands-linux: Linux](https://bitwarden.com/download) + - [:fontawesome-brands-linux: Linux (Flatpak)](https://flathub.org/apps/details/com.bitwarden.desktop) + - [:fontawesome-brands-firefox: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) + - [:fontawesome-brands-chrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb) + - [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) + - [:pg-f-droid: F-Droid](https://mobileapp.bitwarden.com/fdroid) + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744) + - [:fontawesome-brands-github: Source](https://github.com/bitwarden) + +### Psono +!!! recommendation + + ![Psono logo](/assets/img/password-management/psono.svg){ align=right } + + **Psono** is a free and open source password manager from Germany, with a focus on password management for teams. It can be [self-hosted](/password-management/#password-management-servers). Psono supports secure sharing of passwords, files, bookmarks, and emails. All secrets are protected by a master password. + + [Visit psono.com](https://psono.com){ .md-button .md-button--primary } [Privacy Policy](https://psono.com/privacy-policy){ .md-button } + + **Downloads** + - [:fontawesome-brands-firefox: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) + - [:fontawesome-brands-chrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224) + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/psono/psono-client) + - [:fontawesome-brands-github: Source](https://gitlab.com/psono) + +## Password management servers +These products are self-hostable synchronization for cloud based password managers. + +### Vaultwarden +!!! recommendation + + ![Vaultwarden logo](/assets/img/password-management/vaultwarden.svg#only-light){ align=right } + ![Vaultwarden logo](/assets/img/password-management/vaultwarden-dark.svg#only-dark){ align=right } + + **Vaultwarden** is an alternative implementation of the Bitwarden server API written in Rust and compatible with upstream Bitwarden clients, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal. + + [Visit github.com](https://github.com/dani-garcia/vaultwarden) + + **Downloads** + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Source](https://github.com/dani-garcia/vaultwarden) + +### Psono Server +!!! recommendation + + ![Psono Server logo](/assets/img/password-management/psono.svg){ align=right } + + Psono provides [extensive documentation](https://doc.psono.com/) for their product. The [web-client](https://doc.psono.com/admin/installation/install-webclient.html#installation-with-docker) for Psono can be self hosted; alternatively, you can choose the the full [Community Edition](https://doc.psono.com/admin/installation/install-server-ce.html) or the [Enterprise Edition](https://doc.psono.com/admin/installation/install-server-ee.html) with additional features. + + [Visit ](){ .md-button .md-button--primary } [Privacy Policy](){ .md-button } + [:pg-tor:](){ .md-button } + + **Downloads** + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/psono/psono-server) + - [:fontawesome-brands-gitlab: Source](https://gitlab.com/psono/psono-server) + +## Minimal Password Managers +These products are minimal password managers that can be used within scripting applications. + +### Pass +!!! recommendation + + ![Pass logo](/assets/img/password-management/pass.svg){ align=right } + + **Pass** is a bare-bones password store that keeps passwords using [GnuPG](https://gnupg.org) encrypted files inside a simple directory tree residing at `~/.password-store`. It has a simple terminal interface where the user can perform the usual actions, and its functionality can be extended by plugins. It can also be used in scripts without having to input the actual password in plain text. + + [Visit passwordstore.org](https://www.passwordstore.org){ .md-button .md-button--primary } + + **Downloads** + - [:fontawesome-brands-apple: macOS](https://www.passwordstore.org) + - [:fontawesome-brands-linux: Linux](https://www.passwordstore.org) + - [:fontawesome-brands-git: Source](https://git.zx2c4.com/password-store) + +### gopass +!!! recommendation + + ![gopass logo](/assets/img/password-management/gopass.svg){ align=right } + + **gopass** is a password manager for the command line written in Go. It works on all major desktop and server operating systems (Linux, MacOS, BSD, Windows). + + [Visit gopass.pw](https://www.gopass.pw){ .md-button .md-button--primary } + + **Downloads** + - [:fontawesome-brands-windows: Windows](https://www.gopass.pw/#install-windows) + - [:fontawesome-brands-apple: macOS](https://www.gopass.pw/#install-macos) + - [:fontawesome-brands-linux: Linux](https://www.gopass.pw/#install-linux) + - [:fontawesome-brands-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) + - [:fontawesome-brands-github: Source](https://github.com/gopasspw/gopass) diff --git a/docs/productivity.md b/docs/productivity.md new file mode 100644 index 00000000..bb307a24 --- /dev/null +++ b/docs/productivity.md @@ -0,0 +1,119 @@ +--- +title: Productivity Tools +icon: material/file-sign +--- +Get working and collaborating without sharing your documents with a middleman or trusting a cloud provider. + +## Office Suites +### LibreOffice +!!! recommendation + + ![LibreOffice logo](/assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** is a free and open-source office suite with extensive functionality. + + [Visit libreoffice.org](https://www.libreoffice.org){ .md-button .md-button--primary } [Privacy Policy](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .md-button } + + **Downloads** + - [:fontawesome-brands-windows: Windows](https://www.libreoffice.org/download/download/) + - [:fontawesome-brands-apple: macOS](https://www.libreoffice.org/download/download/) + - [:fontawesome-brands-linux: Linux](https://www.libreoffice.org/download/download/) + - [:fontawesome-brands-linux: Linux (Flatpak)](https://www.libreoffice.org/download/download/) + - [:fontawesome-brands-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + - [:pg-openbsd: OpenBSD](https://openports.se/editors/libreoffice) + - [:pg-netbsd: NetBSD](https://pkgsrc.se/misc/libreoffice) + - [:fontawesome-brands-google-play: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:fontawesome-brands-app-store-ios: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:fontawesome-brands-git: Source](https://www.libreoffice.org/about-us/source-code) + +### OnlyOffice +!!! recommendation + + ![OnlyOffice logo](/assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** is alternative, it is free and open-source office suite with extensive functionality. + + [Visit onlyoffice.com](https://www.onlyoffice.com){ .md-button .md-button--primary } [Privacy Policy](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .md-button } + + **Downloads** + - [:fontawesome-brands-windows: Windows](https://www.onlyoffice.com/download-desktop.aspx?from=default) + - [:fontawesome-brands-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx?from=default) + - [:fontawesome-brands-linux: Linux](https://www.libreoffice.org/download/download/) + - [:fontawesome-brands-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/onlyoffice-documents/id944896972) + - [:fontawesome-brands-github: Source](https://github.com/ONLYOFFICE) + +## Planning +### Framadate +!!! recommendation + + ![Framadate logo](/assets/img/productivity/framadate.svg){ align=right } + + **Framadate** is a free and open-source online service for planning an appointment or making a decision quickly and easily. No registration is required. + + [Visit framadate.org](https://framadate.org){ .md-button .md-button--primary } + + **Downloads** + - [:fontawesome-brands-gitlab: Source](https://framagit.org/framasoft/framadate) + +## Paste services +### PrivateBin +!!! recommendation + + ![PrivateBin logo](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** is a minimalist, open-source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256-bit AES. It is the improved version of ZeroBin. Do note that it uses JavaScript to handle encryption, so you must trust the provider to the extent that they do not inject any malicious JavaScript to get your private key. Consider self-hosting to mitigate this threat. + + [Visit privatebin.info](https://privatebin.info){ .md-button .md-button--primary } + + **Downloads** + - [:fontawesome-brands-github: Source](https://github.com/PrivateBin/PrivateBin) + +### CryptPad +!!! recommendation + + ![CryptPad logo](/assets/img/productivity/cryptpad.svg){ align=right } + + **CryptPad** is a private-by-design alternative to popular office tools. All content is end-to-end encrypted. Do note that it uses JavaScript to handle encryption, so you must trust the provider to the extent that they do not inject any malicious JavaScript to get your private key. Consider self-hosting to mitigate this threat. + + [Visit cryptpad.fr](https://cryptpad.fr){ .md-button .md-button--primary } [Privacy Policy](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .md-button } + + **Downloads** + - [:fontawesome-brands-github: Source](https://github.com/xwiki-labs/cryptpad) + +## Blogging +### Write.as +!!! recommendation + + ![Write.as logo](/assets/img/productivity/writeas.svg#only-light){ align=right } + ![Write.as logo](/assets/img/productivity/writeas-dark.svg#only-dark){ align=right } + + **Write.as** is a cross-platform, privacy-oriented blogging platform. It's anonymous by default, letting you publish without signing up. If you create an account, it doesn't require any personal information. No ads, distraction-free, and built on a sustainable business model. + + [Visit write.as](https://write.as){ .md-button .md-button--primary } [:pg-tor:](http://writeasw4b635r4o3vec6mu45s47ohfyro5vayzx2zjwod4pjswyovyd.onion){ .md-button } [Privacy Policy](https://write.as/privacy){ .md-button } + + **Downloads** + - [:fontawesome-brands-windows: Windows](https://github.com/writeas/writeas-cli) + - [:fontawesome-brands-apple: macOS](https://github.com/writeas/writeas-cli) + - [:fontawesome-brands-linux: Linux](https://github.com/writeas/writeas-cli) + - [:fontawesome-brands-freebsd: FreeBSD](https://write.as/apps) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.abunchtell.writeas) + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/app/id1531530896) + - [:fontawesome-brands-git: Source](https://code.as/writeas) + +## Programming +### VSCodium +!!! recommendation + + ![VSCodium logo](/assets/img/productivity/vscodium.svg){ align=right } + + **VSCodium** is a free opens ource fork of Microsofts [Visual Studio Code](https://en.wikipedia.org/wiki/Visual_Studio_Code) editor without branding or telemetry. + + [Visit vscodium.com](https://vscodium.com){ .md-button .md-button--primary } [Privacy Policy](){ .md-button } + + **Downloads** + - [:fontawesome-brands-windows: Windows](https://github.com/VSCodium/vscodium/releases) + - [:fontawesome-brands-apple: macOS](https://github.com/VSCodium/vscodium/releases) + - [:fontawesome-brands-linux: Linux](https://github.com/VSCodium/vscodium/releases) + - [:fontawesome-brands-github: Source](https://github.com/VSCodium/vscodium) diff --git a/docs/qubes.md b/docs/qubes.md new file mode 100644 index 00000000..a8ff9bdf --- /dev/null +++ b/docs/qubes.md @@ -0,0 +1,17 @@ +--- +title: Qubes OS +icon: pg/qubes-os +--- +Qubes OS is a distribution of Linux that uses [Xen](https://en.wikipedia.org/wiki/Xen) to provide app isolation. + +### Qubes OS +!!! recommendation + + ![Qubes OS logo](/assets/img/qubes/qubes_os.svg){ align=right } + + **Qubes** is an open-source operating system designed to provide strong security for desktop computing. Qubes is based on Xen, the X Window System, and Linux, and can run most Linux applications and utilize most of the Linux drivers. + + [Visit qubes-os.org](https://www.qubes-os.org/){ .md-button .md-button--primary } [:pg-tor:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .md-button } [Privacy Policy](https://www.qubes-os.org/privacy){ .md-button } + + **Downloads** + - [:fontawesome-brands-github: Source](https://github.com/QubesOS) diff --git a/docs/real-time-communication.md b/docs/real-time-communication.md new file mode 100644 index 00000000..24a2a4c7 --- /dev/null +++ b/docs/real-time-communication.md @@ -0,0 +1,209 @@ +--- +icon: material/chat-processing +--- + +## Encrypted Instant Messengers + +### Signal + +!!! recommendation + + ![Signal logo](/assets/img/messengers/signal.svg){ align=right } + + **Signal** is a mobile app developed by Signal Messenger LLC. The app provides instant messaging, as well as voice and video calling. + + All communications are E2EE. Contact lists are encrypted using your login PIN and the server does not have access to them. Personal profiles are also encrypted and only shared with contacts who add you. + + [Visit signal.org](https://signal.org/){ .md-button .md-button--primary } + + **Downloads** + - [:fontawesome-brands-windows: Windows](https://signal.org/download) + - [:fontawesome-brands-apple: macOS](https://signal.org/download) + - [:fontawesome-brands-linux: Linux](https://signal.org/download) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/app/id874139669) + - [:fontawesome-brands-github: Source](https://github.com/signalapp) + +Signal has minimal metadata when [Sealed Sender](https://signal.org/blog/sealed-sender/) is enabled. The sender address is encrypted along with the message body, and only the recipient address is visible to the server. + +Signal requires your phone number as a personal identifier. + +[Sealed Sender](https://signal.org/blog/sealed-sender/) is only enabled for users on your contact list but can be enabled for all recipients with the increased risk of receiving spam. + +The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf) in 2016. The specification for the Signal protocol can be found in their [documentation](https://signal.org/docs/). + +### Element + +!!! recommendation + + ![Element logo](/assets/img/messengers/element.svg){ align=right } + + **Element** is the reference client for the [Matrix](https://matrix.org/docs/guides/introduction) protocol, an [open standard](https://matrix.org/docs/spec) for secure decentralized real-time communication. + + Messages and files shared in private rooms (those which require an invite) are by default E2EE as are 1 to 1 voice and video calls. + + [Visit element.io](https://element.io/){ .md-button .md-button--primary } + + **Downloads** + - [:fontawesome-brands-windows: Windows](https://element.io/get-started) + - [:fontawesome-brands-apple: macOS](https://element.io/get-started) + - [:fontawesome-brands-linux: Linux](https://element.io/get-started) + - [:fontawesome-brands-android: Android](https://f-droid.org/packages/im.vector.app/) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:fontawesome-brands-github: Source](https://github.com/vector-im/element-web) + +Profile pictures, reactions, and nicknames are not encrypted. + +Group voice and video calls are [not](https://github.com/vector-im/element-web/issues/12878) E2EE, and use Jitsi, but this is expected to change with [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Group calls have [no authentication](https://github.com/vector-im/element-web/issues/13074) currently, meaning that non room participants can also join the calls. We recommend that you do not use this feature for private meetings. + +When using [element-web](https://github.com/vector-im/element-web), you must trust the server hosting the Element client. If your [threat model](https://privacyguides.org/threat-modeling) requires stronger protection, then use a desktop or mobile client instead. + +The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signal’s [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/). + +### Briar + +!!! recommendation + + ![Briar logo](/assets/img/messengers/briar.svg){ align=right } + + **Briar** is an encrypted instant messenger that [connects](https://briarproject.org/how-it-works/) to other clients using the Tor Network. Briar can also connect via Wi-Fi or Bluetooth when in local proximity. Briar’s local mesh mode can be useful when internet availability is a problem. + + [Visit briarproject.org](https://briarproject.org/){ .md-button .md-button--primary } + + **Downloads** + - [:fontawesome-brands-android: Android](https://f-droid.org/packages/org.briarproject.briar.android) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:fontawesome-brands-git: Source](https://code.briarproject.org/briar/briar) + +To add a contact on Briar, you must both add each other first. You can either exchange `briar://` links or scan a contact’s QR code if they are nearby. + +The client software was independently [audited](https://briarproject.org/news/2017-beta-released-security-audit/) and the anonymous routing protocol uses the Tor network which has also been audited. + +Briar has a fully [published specification](https://code.briarproject.org/briar/briar-spec). + +Briar supports perfect forward secrecy by using the Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) and [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol. + +### Session + +!!! recommendation + + ![Session logo](/assets/img/messengers/briar.svg){ align=right } + + **Session** is an encrypted instant messenger that uses three random [service nodes](https://getsession.org/blog/onion-requests-session-new-message-routing-solution) to route messages anonymously on the [Oxen Network](https://oxen.io). + + [Visit getsession.org](https://getsession.org/){ .md-button .md-button--primary } + + **Downloads** + - [:fontawesome-brands-windows: Windows](https://getsession.org/windows) + - [:fontawesome-brands-apple: macOS](https://getsession.org/mac) + - [:fontawesome-brands-linux: Linux](https://www.getsession.org/linux) + - [:fontawesome-brands-android: Android](https://fdroid.getsession.org/) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/app/id1470168868) + - [:fontawesome-brands-github: Source](https://github.com/oxen-io/session-desktop) + +Session allows for E2EE in one-to-one or closed rooms that allow up to 100 members. Open rooms have no restriction on the number of members, but anyone can join. + +Session does [not](https://getsession.org/blog/session-protocol-technical-information) support forward secrecy. The key pair for each conversation is not rotated. + +Session was independently audited in 2020. The protocol is described in a whitepaper. + +## Types of Communication Networks +There are several network architectures commonly used to relay messages between users. These networks can provide different different privacy guarantees, which is why it's worth considering your [threat model](https://en.wikipedia.org/wiki/Threat_model) when making a decision about which app to use. + +### Centralized Networks + +![Centralized networks diagram](/assets/img/layout/network-centralized.svg){ align=left } + +Centralized messengers are those where all participants are on the same server or network of servers controlled by the same organization. + +Some self-hosted messengers allow you to set up your own server. Self-hosting can provide additional privacy guarantees such as no usage logs or limited access to metadata (data about who is talking to whom). Self-hosted centralized messengers are isolated and everyone must be on the same server to communicate. + +**Advantages:** + +- New features and changes can be implemented more quickly. +- Easier to get started with and to find contacts. +- Most mature and stable features ecosystems, as they are easier to program in a centralized software. +- Privacy issues may be reduced when you trust a server that you're self-hosting. + +**Disadvantages:** + +- Can include [restricted control or access](https://drewdevault.com/2018/08/08/Signal.html). This can include things like: +- Being [forbidden from connecting third-party clients](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) to the centralized network that might provide for greater customization or better user experience. Often defined in Terms and Conditions of usage. +- Poor or no documentation for third-party developers. +- The [ownership](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), privacy policy, and operations of the service can change easily when a single entity controls it, potentially compromising the service later on. +- Self hosting requires effort and knowledge of how to set up a service. + + +### Federated Networks + +![Federated networks diagram](/assets/img/layout/network-decentralized.svg){ align=left } + +Federated messengers use multiple, independent, decentralized servers that are able to talk to each other (email is one example of a federated service). Federation allows system administrators to control their own server and still be a part of the larger communications network. + +When self-hosted, users of a federated server can discover and communicate with users of other servers, although some servers may choose to remain private by being non-federated (e.g., work team server). + +**Advantages:** + +- Allows for greater control over your own data when running your own server. +- Allows you to choose who to trust your data with by choosing between multiple "public" servers. +- Often allows for third party clients which can provide a more native, customized, or accessible experience. +- Server software can be verified that it matches public source code, assuming you have access to the server or you trust the person who does (e.g., a family member) + +**Disadvantages:** + +- Adding new features is more complex, because these features need to be standardized and tested to ensure they work with all servers on the network. +- Due to the previous point, features can be lacking, or incomplete or working in unexpected ways compared to centralized platforms, such as message relay when offline or message deletion. +- Some metadata may be available (e.g., information like "who is talking to whom," but not actual message content if E2EE is used). +- Federated servers generally require trusting your server's administrator. They may be a hobbyist or otherwise not a "security professional," and may not serve standard documents like a privacy policy or terms of service detailing how your data is utilized. +- Server administrators sometimes choose to block other servers, which are a source of unmoderated abuse or break general rules of accepted behavior. This will hinder your ability to communicate with users on those servers. + +### Peer-to-Peer (P2P) Networks + +![P2P diagram](/assets/img/layout/network-distributed.svg){ align=left } + +[P2P](https://en.wikipedia.org/wiki/Peer-to-peer) messengers connect to a [distributed network](https://en.wikipedia.org/wiki/Distributed_networking) of nodes to relay a message to the recepient without a third-party server. + +Clients (peers) usually find each other through the use of a [distributed computing](https://en.wikipedia.org/wiki/Distributed_computing) network. Examples of this include [Distributed Hash Tables](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT), used by [torrents](https://en.wikipedia.org/wiki/BitTorrent_(protocol)) and [IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) for example. Another approach is proximity based networks, where a connection is established over WiFi or Bluetooth (for example, Briar or the [Scuttlebutt](https://www.scuttlebutt.nz) social network protocol). + +Once a peer has found a route to its contact via any of these methods, a direct connection between them is made. Although messages are usually encrypted, an observer can still deduce the location and identity of the sender and recipient. + +P2P networks do not use servers, as users communicate directly between each others, and hence cannot be self-hosted. However, some additional services may rely on centralized servers, such as users discovery or offline messages relaying, which can benefit from self-hosting. + +**Advantages:** + +- Minimal information is exposed to third parties. +- Modern P2P platforms implement end-to-end encryption by default. There are no servers that could potentially intercept and decrypt your transmissions, unlike centralized and federated models. + +**Disadvantages:** + +- Reduced feature set: +- Messages can only be sent when both peers are online, however, your client may store messages locally to wait for the contact to return online. +- Generally increases battery usage on mobile devices, because the client must stay connected to the distributed network to learn about who is online. +- Some common messenger features may not be implemented or incompletely, such as message deletion. +- Your [IP address](https://en.wikipedia.org/wiki/IP_address) and that of the contacts you're communicating with may be exposed if you do not use the software in conjunction with a [VPN](https://privacyguides.org/providers/vpn) or [self contained network](https://privacyguides.org/software/networks), such as [Tor](https://www.torproject.org) or [I2P](https://geti2p.net/). Many countries have some form of mass surveillance and/or metadata retention. + + +### Anonymous Routing + +![Anonymous routing diagram](/assets/img/layout/network-anonymous-routing.svg){ align=left } + +A messenger using [anonymous routing](https://doi.org/10.1007/978-1-4419-5906-5_628) hides either the identity of the sender, the receiver, or evidence that they have been communicating. Ideally, a messenger should hide all three. + +There are [many](https://doi.org/10.1145/3182658) different ways to implement anonymous routing. One of the most famous is [onion routing](https://en.wikipedia.org/wiki/Onion_routing) (i.e. [Tor](https://en.wikipedia.org/wiki/Tor_(anonymity_network))), which communicates encrypted messages through a virtual [overlay network](https://en.wikipedia.org/wiki/Overlay_network) that hides the location of each node as well as the recipient and sender of each message. The sender and recipient never interact directly, and only meet through a secret rendezvous node, so that there is no leak of IP addresses nor physical location. Nodes cannot decrypt messages nor the final destination, only the recipient can. Each intermediary node can only decrypt a part that indicates where to send the still encrypted message next, until it arrives at the recipient who can fully decrypt it, hence the "onion layers". + +Self-hosting a node in an anonymous routing network does not provide the hoster with additional privacy benefits, but rather contributes to the whole network's resilience against identification attacks for everyone's benefit. + +**Advantages:** + +- Minimal to no information is exposed to other parties. +- Messages can be relayed in a decentralized manner even if one of the parties is offline. + +**Disadvantages:** + +- Slow message propagation. +- Often limited to fewer media types, mostly text since the network is slow. +- Less reliable if nodes are selected by randomized routing, some nodes may be very far from the sender and receiver, adding latency or even failing to transmit messages if one of the nodes goes offline. +- More complex to get started as the creation and secured backup of a cryptographic private key is required. +- Just like other decentralized platforms, adding features is more complex for developers than on a centralized platform, hence features may be lacking or incompletely implemented, such as offline message relaying or message deletion. diff --git a/docs/router.md b/docs/router.md new file mode 100644 index 00000000..e1c5d47e --- /dev/null +++ b/docs/router.md @@ -0,0 +1,35 @@ +--- +title: Router Firmware +icon: material/router-wireless +--- +Below are a few alternative operating systems, that can be used on routers, Wi-Fi access points etc. + +### OpenWrt + +!!! recommendation + + ![OpenWrt logo](/assets/img/router/openwrt.svg#only-light){ align=right } + ![OpenWrt logo](/assets/img/router/openwrt-dark.svg#only-dark){ align=right } + + **OpenWrt** is an operating system (in particular, an embedded operating system) based on the Linux kernel, primarily used on embedded devices to route network traffic. The main components are the Linux kernel, util-linux, uClibc, and BusyBox. All components have been optimized for size, to be small enough for fitting into the limited storage and memory available in home routers. + + !!! note + Consult the [Table of Hardware](https://openwrt.org/toh/start) to check if your device is supported. + + [Visit openwrt.org](https://openwrt.org){ .md-button .md-button--primary } + + **Downloads** + - [:fontawesome-brands-git: Source](https://git.openwrt.org) + +### pfSense +!!! recommendation + + ![pfSense logo](/assets/img/router/pfsense.svg#only-light){ align=right } + ![pfSense logo](/assets/img/router/pfsense-dark.svg#only-dark){ align=right } + + pfSense is an open source firewall/router computer software distribution based on FreeBSD. It is installed on a computer to make a dedicated firewall/router for a network and is noted for its reliability and offering features often only found in expensive commercial firewalls. pfSense is commonly deployed as a perimeter firewall, router, wireless access point, DHCP server, DNS server, and VPN endpoint. + + [Visit pfsense.org](https://www.pfsense.org){ .md-button .md-button--primary } [Privacy Policy](https://www.pfsense.org/privacy.html){ .md-button } + + **Downloads** + - [:fontawesome-brands-github: Source](https://github.com/pfsense) diff --git a/docs/search-engines.md b/docs/search-engines.md new file mode 100644 index 00000000..47fc9694 --- /dev/null +++ b/docs/search-engines.md @@ -0,0 +1,67 @@ +--- +title: Search Engines +icon: material/search-web +--- +Use a search engine that doesn't build an advertising profile based on your searches. + +The recommendations here are based on the merits of each service's privacy policy. There is **no guarantee** that these privacy policies are honored. + +Consider using a [VPN](/providers/vpn) or [Tor](https://www.torproject.org/) if your threat model requires hiding your IP address from the search provider. + +### DuckDuckGo +!!! recommendation + + ![DuckDuckGo logo](/assets/img/search-engines/duckduckgo.svg){ align=right } + + **DuckDuckGo** is a popular search engine and is the default for the Tor Browser. + + DuckDuckGo has a [lite](https://duckduckgo.com/lite) and [html](https://duckduckgo.com/html) only version, both of which [do not require JavaScript](https://help.duckduckgo.com/features/non-javascript) and can be used with their [Tor onion address](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion) (append [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) or [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) for the respective version). + + DuckDuckGo uses a commercial Bing API and various [other sources](https://help.duckduckgo.com/results/sources) to provide its search data. + + [Visit duckduckgo.com](https://duckduckgo.com){ .md-button .md-button--primary } [:pg-tor:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .md-button } [Privacy Policy](https://duckduckgo.com/privacy){ .md-button } + + !!! note + The company is based in the 🇺🇸 US. Their [Privacy Policy](https://duckduckgo.com/privacy) states they do log your search query, but not your IP or any other identifying information. + +### Startpage +!!! recommendation + + ![Startpage logo](/assets/img/search-engines/startpage.svg){ align=right } + + **Startpage** is a search engine that provides Google search results. It is a very convenient way to get Google search results without experiencing dark patterns such as difficult captchas or being refused access because you used a [VPN](/providers/vpn) or [Tor](https://www.torproject.org/download/). + + [Visit startpage.com](https://www.startpage.com){ .md-button .md-button--primary } [Privacy Policy](https://www.startpage.com/en/privacy-policy){ .md-button } + + !!! note + Startpage is based in the 🇳🇱 Netherlands. According to their [Privacy Policy](https://www.startpage.com/en/privacy-policy/), they only log details such as: operating system, type of browser and language. They do not log your IP address, search queries or other identifying information. Startpage proxies Google Search so Google does have access to your search queries. + + Startpage's majority shareholder is System1 who is an adtech company. We don't think that is an issue as they have their own Privacy Policy. The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) for clarification and was satisfied by the answers we received. + +### Mojeek +!!! recommendation + + ![Mojeek logo](/assets/img/search-engines/mojeek.svg){ align=right } + + **Mojeek** is another privacy friendly search engine. They use their own crawler to provide search data. + + [Visit mojeek.com](https://www.mojeek.com){ .md-button .md-button--primary } [Privacy Policy](https://www.mojeek.com/about/privacy){ .md-button } + + !!! note + The company is based in the 🇬🇧 UK. According to their [Privacy Policy](https://www.mojeek.com/about/privacy/), they log the originating country, time, page requested, and referral data of each query. IP addresses are not logged. + +### Searx +!!! recommendation + + ![Searx logo](/assets/img/search-engines/searx.svg){ align=right } + + **Searx** is an [open-source](https://github.com/asciimoo/searx), self-hostable, metasearch engine, aggregating the results of other search engines while not storing information about its users. There is a [list of public instances](https://searx.space/). + + [Visit searx.me](https://searx.me){ .md-button .md-button--primary } [:pg-tor:](http://searxspbitokayvkhzhsnljde7rqmn7rvoga6e4waeub3h7ug3nghoad.onion){ .md-button } + + !!! note + Searx is a proxy between the user and the search engines it aggregates from. Your search queries will still be sent to the search engines that Searx gets its results from. + + When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Searx, as other people looking up illegal content on your instance could draw unwanted attention from authorities. + + When you are using a Searx instance, be sure to go read the Privacy Policy of that specific instance. Searx instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII (Personally Identifiable Information). diff --git a/docs/self-contained-networks.md b/docs/self-contained-networks.md new file mode 100644 index 00000000..4c93784a --- /dev/null +++ b/docs/self-contained-networks.md @@ -0,0 +1,66 @@ +--- +title: Self-Contained Networks +icon: material/security-network +--- +If you are currently browsing clearnet and want to access the dark web, this section is for you. + +## Self-contained Networks +### Tor +!!! recommendation + + ![Tor logo](./assets/img/self-contained-networks/tor.svg){ align=right } + + The Tor network is a group of volunteer-operated servers that allows people to improve their privacy and security on the Internet. Tor's users employ this network by connecting through a series of virtual tunnels rather than making a direct connection, thus allowing both organizations and individuals to share information over public networks without compromising their privacy. Tor is an effective censorship circumvention tool. + + [Visit torproject.org](https://www.torproject.org){ .md-button .md-button--primary } [:pg-tor:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .md-button } + + **Downloads** + - [:fontawesome-brands-windows: Windows](https://www.torproject.org/download/) + - [:fontawesome-brands-apple: macOS](https://www.torproject.org/download/) + - [:fontawesome-brands-linux: Linux](https://www.torproject.org/download/) + - [:fontawesome-brands-freebsd: FreeBSD](https://www.freshports.org/security/tor) + - [:pg-openbsd: OpenBSD](https://openports.se/net/tor) + - [:pg-netbsd: NetBSD](https://pkgsrc.se/net/tor) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:pg-f-droid: F-Droid](https://support.torproject.org/tormobile/tormobile-7/) + - [:fontawesome-brands-android: Android](https://www.torproject.org/download/#android) + - [:fontawesome-brands-git: Source](https://gitweb.torproject.org/tor.git) + +### I2P Anonymous Network +!!! recommendation + + ![I2P logo](./assets/img/self-contained-networks/i2p.svg){ align=right } + + The Invisible Internet Project (I2P) is a computer network layer that allows applications to send messages to each other pseudonymously and securely. Uses include anonymous Web surfing, chatting, blogging, and file transfers. The software that implements this layer is called an I2P router and a computer running I2P is called an I2P node. The software is free and open-source and is published under multiple licenses. + + [Visit geti2p.net](https://geti2p.net){ .md-button .md-button--primary } [:pg-i2p:](http://i2p-projekt.i2p){ .md-button } + + **Downloads** + - [:fontawesome-brands-windows: Windows](https://geti2p.net/en/download#windows) + - [:fontawesome-brands-apple: macOS](https://geti2p.net/en/download#mac) + - [:fontawesome-brands-linux: Linux](https://geti2p.net/en/download#unix) + - [:fontawesome-brands-freebsd: FreeBSD](https://www.freshports.org/security/i2p) + - [:pg-openbsd: OpenBSD](https://openports.se/net/i2pd) + - [:pg-netbsd: NetBSD](https://pkgsrc.se/wip/i2pd) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=net.i2p.android) + - [:pg-f-droid: F-Droid](https://f-droid.org/app/net.i2p.android.router) + - [:fontawesome-brands-android: Android](https://download.i2p2.de/android/current/) + - [:fontawesome-brands-git: Source](https://geti2p.net/en/get-involved/guides/new-developers#getting-the-i2p-code) + +### The Freenet Project +!!! recommendation + + ![Freenet logo](./assets/img/self-contained-networks/freenet.svg){ align=right } + + Freenet is a peer-to-peer platform for censorship-resistant communication. It uses a decentralized distributed data store to keep and deliver information, and has a suite of free software for publishing and communicating on the Web without fear of censorship. Both Freenet and some of its associated tools were originally designed by Ian Clarke, who defined Freenet's goal as providing freedom of speech on the Internet with strong anonymity protection. + + [Visit freenetproject.org/](https://freenetproject.org){ .md-button .md-button--primary } + + **Downloads** + - [:fontawesome-brands-windows: Windows](https://freenetproject.org/pages/download.html#windows) + - [:fontawesome-brands-apple: macOS](https://freenetproject.org/pages/download.html#os-x) + - [:fontawesome-brands-linux: Linux](https://freenetproject.org/pages/download.html#gnulinux-posix) + - [:fontawesome-brands-freebsd: FreeBSD](https://freenetproject.org/pages/download.html#gnulinux-posix) + - [:pg-openbsd: OpenBSD](https://freenetproject.org/pages/download.html#gnulinux-posix) + - [:pg-netbsd: NetBSD](https://freenetproject.org/pages/download.html#gnulinux-posix) + - [:fontawesome-brands-github: Source](https://github.com/freenet/) diff --git a/docs/social-networks.md b/docs/social-networks.md new file mode 100644 index 00000000..88b6615e --- /dev/null +++ b/docs/social-networks.md @@ -0,0 +1,90 @@ +--- +title: Social Networks +icon: material/account-supervisor-circle-outline +--- +Find a social network that doesn’t pry into your data or monetize your profile. + +## Decentralized Social Networks +### Mastodon (Twitter Alternative) +!!! recommendation + + ![Mastodon logo](/assets/img/social-networks/mastodon.svg){ align=right } + + Mastodon is a social network based on open web protocols and free, open-source software. It is decentralized like email, users can exist on different servers or even different platforms but still communicate with each other. It also has the most users, and the most diverse (in terms of interests) users, it looks good, and it is easy to setup yourself. + + [Visit joinmastodon.org](https://joinmastodon.org){ .md-button .md-button--primary } [Privacy Policy](https://joinmastodon.org/privacy-policy){ .md-button } + + **Downloads** + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/mastodon-for-iphone/id1571998974) + - [:fontawesome-regular-circle-down: All other apps](https://joinmastodon.org/apps) + - [:fontawesome-brands-github: Source](https://github.com/mastodon) + +### diaspora\* (Google+ Alternative) +!!! recommendation + + ![diaspora* logo](/assets/img/social-networks/diaspora.svg){ align=right } + + diaspora\* is based on three key philosophies: Decentralization, Freedom, and Privacy. It is intended to address privacy concerns related to centralized social networks by allowing users set up their own server (or "pod") to host content. Pods can then interact to share status updates, photographs, and other social data. + + [Visit diasporafoundation.org](https://diasporafoundation.org){ .md-button .md-button--primary } + + **Downloads** + - [:fontawesome-regular-circle-down: All apps](https://wiki.diasporafoundation.org/Tools_to_use_with_Diaspora) + - [:fontawesome-brands-github: Source](https://github.com/diaspora) + +### Friendica (Facebook Alternative) +!!! recommendation + + ![Frendica logo](/assets/img/social-networks/friendica.svg){ align=right } + + **Friendica** has an emphasis on extensive privacy settings and easy server installation. It aims to federate with as many other social networks as possible. Currently, Friendica users can integrate contacts from Facebook, Twitter, Diaspora, GNU social, App.net, Pump.io and other services in their social streams. + + [Visit friendi.ca](https://friendi.ca){ .md-button .md-button--primary } + + **Downloads** + - [:fontawesome-regular-circle-down: All apps](https://friendi.ca/resources/mobile-clients/) + - [:fontawesome-brands-github: Source](https://github.com/friendica) + +### PixelFed (Instagram Alternative) +!!! recommendation + + ![PixelFed logo](/assets/img/social-networks/pixelfed.svg){ align=right } + + **PixelFed** is a free and ethical photo sharing platform, powered by ActivityPub federation. Pixelfed is an open-source, federated platform. You can run your own instance or join an [existing one](https://fediverse.party/en/pixelfed). + + [Visit pixelfed.org](https://pixelfed.org){ .md-button .md-button--primary } + + **Downloads** + - [:fontawesome-brands-github: Source](https://github.com/pixelfed) + +### Pleroma (Twitter Alternative) +!!! recommendation + + ![Pleroma logo](/assets/img/social-networks/pleroma.svg){ align=right } + + **Pleroma** is a free, federated social networking server built on open protocols. It is compatible with Mastodon and many other ActivityPub and OStatus implementations. + + [Visit pleroma.social](https://pleroma.social){ .md-button .md-button--primary } + + **Downloads** + - [:fontawesome-regular-circle-down:](https://docs-develop.pleroma.social/backend/clients/#pleroma-clients) + - [:fontawesome-brands-gitlab: Source](https://git.pleroma.social/pleroma) + +### Movim +!!! recommendation + + ![Movim logo](/assets/img/social-networks/movim.svg){ align=right } + + **Movim** is a federated social platform that relies on the XMPP standard and therefore allows you to exchange with many other clients on all devices. + + **Downloads** + - [:fontawesome-brands-github: Source](https://github.com/movim) + +## Related Information +- [JustDeleteMe](https://justdeleteme.xyz) - A directory of direct links to delete your account from web services. +- [Forget](https://forget.codl.fr) - A service that automatically deletes your old posts on Twitter and Mastodon that everyone has forgotten about. + +## Facebook Related +- [How do I permanently delete my Facebook account?](https://www.facebook.com/help/224562897555674) +- [Facebook Container by Mozilla](https://addons.mozilla.org/firefox/addon/facebook-container) +- [Stop using Facebook](https://web.archive.org/web/20190510075433/https://www.stopusingfacebook.co/) - A curated list of reasons to stop using Facebook and how to do it. diff --git a/docs/social-news-aggregator.md b/docs/social-news-aggregator.md new file mode 100644 index 00000000..24d6e70e --- /dev/null +++ b/docs/social-news-aggregator.md @@ -0,0 +1,53 @@ +--- +title: Social News Aggregator +icon: material/newspaper-variant-outline +--- +Stay up-to-date with privacy-respecting online bulletin boards. + +### Tildes +!!! recommendation + + ![Tildes logo](/assets/img/social-media-aggregator/tildes.svg){ align=right } + + **Tildes** is a web-based self-hostable online bulletin board. It is licensed under [AGPLv3](https://gitlab.com/tildes/tildes/blob/master/LICENSE). + + [Visit tildes.net](https://tildes.net){ .md-button .md-button--primary } [Privacy Policy](https://docs.tildes.net/policies/privacy-policy){ .md-button } + + **Downloads** + - [:fontawesome-brands-gitlab: Source](hhttps://gitlab.com/tildes) + +### Lemmy +!!! recommendation + + ![Lemmy logo](/assets/img/social-media-aggregator/lemmy.svg){ align=right } + + **Lemmy** is an [AGPL](https://github.com/dessalines/lemmy/blob/master/LICENSE)-licensed self-hostable link aggregator and discussion network designed to serve as an alternative to Reddit within the ActivityPub [Fediverse](https://www.wikipedia.org/wiki/Fediverse). + + [Visit lemmy.ml](https://lemmy.ml){ .md-button .md-button--primary } + + **Downloads** + - [:fontawesome-brands-github: Source](https://github.com/LemmyNet) + +### Postmill +!!! recommendation + + ![Postmill logo](/assets/img/social-media-aggregator/postmill.png){ align=right } + + **Postmill** is a free, web-based, social link aggregator with voting and nested comments. + + [Visit postmill.xyz](https://postmill.xyz){ .md-button .md-button--primary } + + **Downloads** + - [:fontawesome-brands-gitlab: Source](https://gitlab.com/postmill) + +### Freepost +!!! recommendation + + ![Freepost logo](/assets/img/social-media-aggregator/freepost.svg){ align=right } + + **Freepost** is a free and open-source discussion board based on free software and free culture with a highly motivated community. + + [Visit freepo.st](https://freepo.st){ .md-button .md-button--primary } + + **Downloads** + - [:fontawesome-brands-git: Source](https://notabug.org/zPlus/freepost) diff --git a/docs/stylesheets/extra.css b/docs/stylesheets/extra.css new file mode 100644 index 00000000..99c32b1b --- /dev/null +++ b/docs/stylesheets/extra.css @@ -0,0 +1,87 @@ +@font-face { + font-family: Bagnard; + src: url("/assets/fonts/bagnard/Bagnard.woff") format("woff"), url("/assets/fonts/bagnard/Bagnard.ttf") format("truetype"), url("/assets/fonts/bagnard/Bagnard.otf") format("opentype"); +} + +/* Define brand colors */ +:root { + --md-primary-fg-color: #FFD06F; + --md-primary-fg-color--light: #ffdd98; + --md-primary-fg-color--dark: #db9d21; + --md-primary-bg-color: rgba(0,0,0,.75); + --md-primary-bg-color--light: rgba(0,0,0,.54); +} + +/* Hide shadow under navigation */ +.md-header[data-md-state="shadow"], +.md-header--shadow { + box-shadow: none; +} + +/* Better contrast link colors */ +[data-md-color-scheme="default"] { + --md-typeset-a-color: #3C00E0; +} + +[data-md-color-scheme="slate"] { + --md-typeset-a-color: #CBBDFF; +} + +/* Purple buttons */ +.md-typeset .md-button { + color: var(--md-typeset-a-color); +} +.md-typeset .md-button--primary { + color: white; + background-color: var(--md-typeset-a-color); + border-color: var(--md-typeset-a-color); +} +[data-md-color-scheme="slate"] .md-typeset .md-button--primary { + color: var(--md-primary-bg-color); +} + +h1, h2, h3, .md-header__topic { + font-family: Bagnard, serif; +} + +/* Recommendation cards */ +.md-typeset .admonition.recommendation, +.md-typeset details.recommendation { + border: none; + font-size: inherit; +} +.md-typeset .recommendation > .admonition-title, +.md-typeset .recommendation > summary { + background-color: rgba(43, 155, 70, 0.0); + border: none; + padding-left: 0.6rem; +} +.md-typeset .recommendation > .admonition-title::before, +.md-typeset .recommendation > .admonition-title, +.md-typeset .recommendation > summary::before { + display: none; +} +.md-typeset .recommendation img[align="right"], .md-typeset svg[align="right"] { + max-width: 150px; +} + +.md-typeset .admonition.anonyimity, +.md-typeset details.anonyimity { + border-color: rgb(43, 155, 70); +} +.md-typeset .anonyimity > .admonition-title, +.md-typeset .anonyimity > summary { + background-color: rgba(43, 155, 70, 0.1); + border-color: rgb(43, 155, 70); +} +.md-typeset .anonyimity > .admonition-title::before, +.md-typeset .anonyimity > summary::before { + background-color: rgb(43, 155, 70); + -webkit-mask-image: var(--md-admonition-icon--success); + mask-image: var(--md-admonition-icon--success); +} + +/* Correct page icon size */ +.md-nav__link svg { + width: 22px; +} diff --git a/collections/_evergreen/threat-modeling.md b/docs/threat-modeling.md similarity index 99% rename from collections/_evergreen/threat-modeling.md rename to docs/threat-modeling.md index 4c939fb1..fe00d43b 100644 --- a/collections/_evergreen/threat-modeling.md +++ b/docs/threat-modeling.md @@ -1,6 +1,7 @@ --- layout: evergreen title: What are threat models? +icon: 'material/target-account' --- Balancing security, privacy, and usability is one of the first and most difficult tasks you'll face on your privacy journey. Everything is a trade-off: The more secure something is, the more restricting or inconvenient it generally is, et cetera. Often people find that the problem with the tools they see recommended is they're just too hard to start using! @@ -95,8 +96,6 @@ For example, an attorney representing a client in a national security case may b _Write down what options you have available to you to help mitigate your unique threats. Note if you have any financial constraints, technical constraints, or social constraints._ -{% include hr.html %} -

Further reading

diff --git a/docs/tools.md b/docs/tools.md new file mode 100644 index 00000000..b03de7f8 --- /dev/null +++ b/docs/tools.md @@ -0,0 +1,43 @@ +--- +icon: material/tools +hide: + - navigation +--- +If you're looking for a specific solution to something, these are the hardware and software tools we recommend in a variety of categories. Our recommended privacy tools are primarily chosen based on security features, with additional emphasis on decentralized and open-source tools. They are applicable to a variety of threat models ranging from protection against global mass surveillance programs and avoiding big tech companies to mitigating attacks, but only you can determine what will work best for your use case. + +If you want assistance figuring out the best privacy tools and alternative programs for your workload/use-case, start a discussion in our [Reddit](https://www.reddit.com/r/privacyguides) or [Matrix](https://matrix.to/#/#privacyguides:matrix.org) communities! + +## Operating Systems + +- [:fontawesome-brands-android: Android Recommendations](android.md) +- [:fontawesome-brands-linux: Linux Recommendations](linux-desktop.md) +- [:pg-qubes-os: QubesOS Recommendations](qubes.md) +- [:material-router-wireless: Router Firmware Recommendations](router.md) + +## Web Browsers + +- [:octicons-browser-16: Browsers](browsers.md) + +## Service Providers + +- [:material-file-cloud: Cloud Storage](cloud.md) +- [:material-dns: DNS Resolvers](dns.md) +- [:material-email: Email Hosts](email.md) +- [:material-search-web: Search Engines](search-engines.md) +- [:material-account-supervisor-circle-outline: Social Networks](social-networks.md) +- [:material-newspaper-variant-outline: News Aggregators](social-news-aggregator.md) +- [:material-vpn: VPN Services](vpn.md) + +## Software + +- [:material-calendar: Calendar/Contacts Sync](calendar-contacts.md) +- [:material-notebook-edit-outline: Digital Notebooks](notebooks.md) +- [:material-email-open: Email Clients](email-clients.md) +- [:material-file-lock: Encryption Tools](encryption.md) +- [:material-share-variant: File Sharing and Sync](file-sharing.md) +- [:material-tag-remove: Metadata Removal Tools](metadata-removal-tools.md) +- [:material-form-textbox-password: Password Managers](passwords.md) +- [:material-file-sign: Productivity Tools](productivity.md) +- [:material-chat-processing: Real-Time Communication](real-time-communication.md) +- [:material-security-network: Self-Contained Networks](self-contained-networks.md) +- [:material-video-wireless: Video Streaming Clients](video-streaming.md) diff --git a/docs/video-streaming.md b/docs/video-streaming.md new file mode 100644 index 00000000..89304cf4 --- /dev/null +++ b/docs/video-streaming.md @@ -0,0 +1,142 @@ +--- +title: Video Streaming +icon: material/video-wireless +--- +The primary threat when using a video streaming platform is that your streaming habits and subscription lists could be used to profile you. You should combine these tools with a [VPN](/providers/vpn/) or [Tor](https://www.torproject.org/) to make it harder to profile your usage. + +## Clients +### FreeTube + +!!! recommendation + + ![FreeTube logo](/assets/img/video-streaming/freetube.svg){ align=right } + + **FreeTube** is a free and open source desktop application for [YouTube](https://youtube.com). When using FreeTube, your subscription list and playlists are saved locally on your device. + + FreeTube also features [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored advertisements. All YouTube advertisements are also blocked by default. + + !!! Warning + When using Freetube, your IP address is still known to YouTube, [Invidious](https://instances.invidious.io) and the SponsorBlock instances that you use. Consider using a [VPN](/providers/vpn) or [Tor](https://www.torproject.org) if your [threat model](/threat-modeling) requires hiding your IP address. + + [Visit freetubeapp.io](https://freetubeapp.io){ .md-button .md-button--primary } [Privacy Policy](https://freetubeapp.io/privacy.php){ .md-button } + + **Downloads** + - [:fontawesome-brands-windows: Windows](https://freetubeapp.io/#download) + - [:fontawesome-brands-apple: macOS](https://freetubeapp.io/#download) + - [:fontawesome-brands-linux: Linux](https://freetubeapp.io/#download) + - [:fontawesome-brands-linux: Linux (Flatpak)](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + - [:fontawesome-brands-github: Source](https://github.com/FreeTubeApp/FreeTube/) + +### LBRY +!!! recommendation + + ![LBRY logo](/assets/img/video-streaming/lbry.svg){ align=right } + + **The LBRY network** is a decentralized video sharing network. It uses a [BitTorrent](https://wikipedia.org/wiki/BitTorrent)-like network to store the video content, and a [blockchain](https://wikipedia.org/wiki/Blockchain) to store the indexes for those videos. The main benefit of this design is censorship resistance. + + **The LBRY desktop client** helps you stream videos from the LBRY network and stores your subscription list in your own LBRY wallet. + + !!! Warning + We recommend **against** synchronizing your wallet with LBRY Inc., as synchronizing encrypted wallets is not supported yet. If you synchronize your wallet with LBRY Inc., you have to trust them to not look at your subscription list, [LBC](https://lbry.com/faq/earn-credits) funds, or take control of your channel. + + !!! Warning + Only the **LBRY desktop client** is recommended. The [Odysee](https://odysee.com) website and the LBRY clients in F-Droid, Play Store, and the AppStore have mandatory synchronization and telemetry. + + !!! Warning + While watching and hosting videos, your IP address is visible to the LBRY network. Consider using a [VPN](/providers/vpn) or [Tor](https://www.torproject.org) if your [threat model](/threat-modeling) requires hiding your IP address. + + !!! Tip + You can disable *Save hosting data to help the LBRY network* option (⚙️ Settings → Advanced Settings) to avoid exposing your IP address and watched videos when using LBRY for a prolonged period of time. + + [Visit lbry.com](https://lbry.com){ .md-button .md-button--primary } [Privacy Policy](https://lbry.com/privacypolicy){ .md-button } + + **Downloads** + - [:fontawesome-brands-windows: Windows](https://lbry.com/get) + - [:fontawesome-brands-apple: macOS](https://lbry.com/osx) + - [:fontawesome-brands-linux: Linux](https://lbry.com/linux) + - [:fontawesome-brands-github: Source](https://github.com/lbryio) + +### NewPipe +!!! recommendation + + ![Newpipe logo](/assets/img//video-streaming/newpipe.svg){ align=right } + + **NewPipe** is a free and open source Android application for [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [FramaTube](https://framatube.org), and [Bandcamp](https://bandcamp.com). + + !!! note + NewPipe is available on the main [F-Droid](https://www.f-droid.org)'s repository. We recommend that you use the NewPipe's own [F-Droid repository](https://newpipe.net/FAQ/tutorials/install-add-fdroid-repo) instead to get faster updates. + Your subscription list and playlists are saved locally on your Android device. + + [Visit newpipe.net](https://newpipe.net){ .md-button .md-button--primary } [Privacy Policy](https://newpipe.net/legal/privacy){ .md-button } + + **Downloads** + - [:fontawesome-brands-android: F-Droid repo](https://newpipe.net/FAQ/tutorials/install-add-fdroid-repo) + - [:fontawesome-brands-github: Source](https://github.com/TeamNewPipe/NewPipe) + +### NewPipe x SponsorBlock +!!! recommendation + + ![NewPipe x SponsorBlock logo](/assets/img/video-streaming/newpipe.svg){ align=right } + + **NewPipe x SponsorBlock** is a fork of [NewPipe](https://newpipe.net) with [SponsorBlock](https://sponsor.ajay.app) integrated to help you skip sponsored advertisements. + It also has some experimental settings such as the ability to use the built-in player for local playback, an option to force fullscreen on landscape mode, and an option to disable error reporting prompts. + + !!! note + This fork is not endorsed by or affiliated with the upstream project. The NewPipe team has [rejected](https://github.com/TeamNewPipe/NewPipe/pull/3205) integration with SponsorBlock and thus this fork is created to provide this functionality. + + [Visit github.com](https://github.com/polymorphicshade/NewPipe){ .md-button .md-button--primary } + + **Downloads** + - [:fontawesome-brands-android: F-Droid repo](https://apt.izzysoft.de/fdroid/index/apk/org.polymorphicshade.newpipe) + - [:fontawesome-brands-github: Source](https://github.com/polymorphicshade/NewPipe) + +## Web-based Frontends +### Invidious +!!! recommendation + + ![Invidious logo](/assets/img/video-streaming/invidious.svg#only-light){ align=right } + ![Invidious logo](/assets/img/video-streaming/invidious-dark.svg#only-dark){ align=right } + + **Invidious** is a free and open source front end for YouTube that is also self-hostable. There are list of [public instances](https://instances.invidious.io). Some instances have [Tor](https://www.torproject.org) onion services support. + + !!! tip + Invidious is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security setting. It does not provide privacy by itself and we don’t recommend logging into any accounts. + + !!! warning + Invidious does not proxy the video stream through its server by default. Videos watched through Invidious will still make direct connections to Google's servers (googlevideo.com); however, some instances support video proxying. This can be enabled by adding `&local=true` to the URL. + + !!! warning + When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Invidious, as other peoples' usage will be linked to your hosting. + + !!! note + When you are using an Invidious instance, be sure to go read the Privacy Policy of that specific instance. Invidious instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII (Personally Identifiable Information). + + [Visit invidious.io](https://invidious.io){ .md-button .md-button--primary } [Privacy Policy](){ .md-button } + + **Downloads** + - [:fontawesome-solid-earth-americas: Instances](https://instances.invidious.io) + - [:fontawesome-brands-github: Source](https://github.com/iv-org/invidious) + +### Piped +!!! recommendation + + ![Piped logo](/assets/img/video-streaming/piped.svg){ align=right } + + **Piped** is a free and open source front end for YouTube that is also self-hostable. Alternative instances can be selected from "Preferences". + + !!! tip + Piped is useful if you want to use [SponsorBlock](https://sponsor.ajay.app) without installing an extension or to access age-restricted content without an account. It does not provide privacy by itself and we don’t recommend logging into any accounts. + + !!! warning + When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Piped, as other peoples' usage will be linked to your hosting. + + !!! warning + When you are using a Piped instance, be sure to go read the Privacy Policy of that specific instance. Piped instances can be modified by their owners and therefore may not reflect their associated privacy policy. + + !!! warning + Piped requires javascript in order to function. + + [Visit piped.kavin.rocks](https://piped.kavin.rocks/){ .md-button .md-button--primary } + + **Downloads** + - [:fontawesome-brands-github: Source](https://github.com/TeamPiped/Piped) diff --git a/docs/vpn.md b/docs/vpn.md new file mode 100644 index 00000000..7d53761b --- /dev/null +++ b/docs/vpn.md @@ -0,0 +1,373 @@ +--- +title: VPN Services +icon: material/vpn +--- + +Find a no-logging VPN operator who isn’t out to sell or read your web traffic. + +??? danger "VPNs do not provide anonymity" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using [HTTPS](https://en.wikipedia.org/wiki/HTTPS). A VPN is not a replacement for good security practices. + + [Download Tor](https://www.torproject.org/){ .md-button .md-button--primary } [Tor Myths & FAQ](https://medium.com/privacyguides/slicing-onions-part-1-myth-busting-tor-9ec188ae1904){ .md-button } + +??? info "When are VPNs useful?" + + If you're looking for additional **privacy** from your ISP, on a public Wi-Fi network, or while torrenting files, a VPN may be the solution for you as long as you understand the risks involved. + + [More Info](#vpn-overview){ .md-button } + +## Recommended Providers + +!!! example "Criteria" + + Our recommended providers are outside the US, use encryption, accept Bitcoin, support WireGuard & OpenVPN, and have a no logging policy. Read our full list of criteria for more information. + +### Mullvad + +!!! recommendation + + ![Mullvad logo](/assets/img/vpn/mullvad.svg#only-light){ align=right } + ![Mullvad logo](/assets/img/vpn/mullvad-dark.svg#only-dark){ align=right } + + **Mullvad** is a fast and inexpensive VPN with a serious focus on transparency and security. They have been in operation since **2009**. Mullvad is based in Sweden and does not have a free trial. + + **EUR €60/year** + + [Visit Mullvad.net](https://mullvad.net){ .md-button .md-button--primary } + +??? check "35 Countries" + + Mullvad has [servers in 35 countries](https://mullvad.net/en/servers/) at the time of writing this page. Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (less hops) to the destination. + + We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +??? check "Independently Audited" + + Mullvad's VPN clients have been audited by Cure53 and Assured AB in a pentest report [published at cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf). The security researchers concluded: + + > Cure53 and Assured AB are happy with the results of the audit and the software leaves an overall positive impression. With security dedication of the in-house team at the Mullvad VPN compound, the testers have no doubts about the project being on the right track from a security standpoint. + + In 2020 a second audit [was announced](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) was made available on Cure53's website: + + > The results of this May-June 2020 project targeting the Mullvad complex are quite positive. [...] The overall application ecosystem used by Mullvad leaves a sound and structured impression. The overall structure of the application makes it easy to roll out patches and fixes in a structured manner. More than anything, the findings spotted by Cure53 showcase the importance of constantly auditing and re-assessing the current leak vectors, in order to always ensure privacy of the end-users. With that being said, Mullvad does a great job protecting the end-user from common PII leaks and privacy related risks. + + In 2021 an infrastructure audit [was announced](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) was made available on Cure53's website. + +??? check "Open Source Clients" + + Mullvad provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/mullvad/mullvadvpn-app). + +??? check "Accepts Bitcoin" + + Mullvad, in addition to accepting credit/debit cards and PayPal, accepts **Bitcoin**, **Bitcoin Cash**, and **cash/local currency** as anonymous forms of payment. They also accept Swish and bank wire transfers. + +??? check "WireGuard Support" + + Mullvad supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com)[^1] is a newer protocol that utilizes state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + + Mullvad [recommends](https://mullvad.net/en/help/why-wireguard/) the use of WireGuard with their service. It is the default or only protocol on Mullvad's Android, iOS, macOS, and Linux apps, whereas Windows users have to [manually enable](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/) WireGuard. Mullvad also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +??? check "IPv6 Support" + + Mullvad supports the future of networking [IPv6](https://en.wikipedia.org/wiki/IPv6). Their network allows users to [access services hosted on IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support/) as opposed to other providers who block IPv6 connections. + +??? check "Remote Port Forwarding" + + Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is allowed for users who make one-time payments, and not allowed for accounts with a recurring/subscription-based payment method. This is to prevent Mullvad from being able to identify port users based on stored subscription information. See [Port forwarding with Mullvad VPN](https://mullvad.net/help/port-forwarding-and-mullvad/) for more information. + +??? check "Mobile Clients" + + Mullvad has published [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) and [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) clients, both supporting an easy-to use interface as opposed to requiring users to manual configure their WireGuard connections. The mobile client on Android is also available in [F-Droid](https://f-droid.org/packages/net.mullvad.mullvadvpn), which ensures that it is compiled with [reproducible builds](https://www.f-droid.org/en/2019/05/05/trust-privacy-and-free-software.html). + +??? info "Additional Functionality" + + Mullvad is very transparent about which nodes they [own or rent](https://mullvad.net/en/servers/). They use [ShadowSocks](https://shadowsocks.org/en/index.html) in their ShadowSocks + OpenVPN configuration, making them more resistant against firewalls with [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) trying to block VPNs. Supposedly, [China has to use a different method to block ShadowSocks servers](https://github.com/net4people/bbs/issues/22). Mullvad's website is also accessible via Tor at [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion). + +### ProtonVPN + +!!! recommendation + + ![ProtonVPN logo](/assets/img/vpn/protonvpn.svg){ align=right } + + **ProtonVPN** is a strong contender in the VPN space, and they have been in operation since 2016. ProtonVPN is based in Switzerland and offers a limited free pricing tier, as well as premium options. They offer a further 14% discount for buying a 2 year subscription. + + **Free** - **Basic Plan USD $48/year** - **Plus Plan USD $96/year** + + [Visit ProtonVPN.com](https://protonvpn.com/){ .md-button .md-button--primary } + +??? check "44 Countries" + + ProtonVPN has [servers in 44 countries](https://protonvpn.com/vpn-servers) at the time of writing this page. Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (less hops) to the destination. + + We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +??? check "Independently Audited" + + As of January 2020 ProtonVPN has undergone an independent audit by SEC Consult. SEC Consult found some medium and low risk vulnerabilities in ProtonVPN's Windows, Android, and iOS applications, all of which were "properly fixed" by ProtonVPN before the reports were published. None of the issues identified would have provided an attacker remote access to a user's device or traffic. You can view individual reports for each platform at [protonvpn.com](https://protonvpn.com/blog/open-source/). + +??? check "Open Source Clients" + + ProtonVPN provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/ProtonVPN). + +??? check "Accepts Bitcoin" + + ProtonVPN does technically accept Bitcoin payments; however, you either need to have an existing account, or contact their support team in advance to register with Bitcoin. + +??? check "WireGuard Support" + + ProtonVPN mostly supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com)[^1] is a newer protocol that utilizes state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + + ProtonVPN [recommends](https://protonvpn.com/blog/wireguard/) the use of WireGuard with their service. On ProtonVPN's Windows, macOS, iOS, Android, ChromeOS, and Android TV apps, WireGuard is the default protocol; however, [support](https://protonvpn.com/support/how-to-change-vpn-protocols/) for the protocol is not present in their Linux app. + +??? missing "Remote Port Forwarding" + + ProtonVPN does not currently support remote port forwarding, which may impact some applications. Especially Peer-to-Peer applications like Torrent clients. + +??? check "Mobile Clients" + + In addition to providing standard OpenVPN configuration files, ProtonVPN has mobile clients for [App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085) and [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US) allowing for easy connections to their servers. The mobile client on Android is also available in [F-Droid](https://f-droid.org/en/packages/ch.protonvpn.android), which ensures that it is compiled with [reproducible builds](https://www.f-droid.org/en/2019/05/05/trust-privacy-and-free-software.html). + +??? info "Additional Functionality" + + ProtonVPN have their own servers and datacenters in Switzerland, Iceland and Sweden. They offer adblocking and known malware domains blocking with their DNS service. Additionally, ProtonVPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using [the official Tor Browser](https://www.torproject.org/) for this purpose. + +### IVPN + +!!! recommendation + + ![IVPN logo](/assets/img/vpn/ivpn.svg){ align=right } + + **IVPN** is another premium VPN provider, and they have been in operation since 2009. IVPN is based in Gibraltar. + + **Standard USD $60/year** - **Pro USD $100/year** + + [Visit IVPN.net](https://www.ivpn.net/){ .md-button .md-button--primary } + +??? check "32 Countries" + + IVPN has [servers in 32 countries](https://www.ivpn.net/server-locations) at the time of writing this page. Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (less hops) to the destination. + + We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +??? check "Independently Audited" + + IVPN has undergone a [no-logging audit from Cure53](https://cure53.de/audit-report_ivpn.pdf) which concluded in agreement with IVPN's no-logging claim. IVPN has also completed a [comprehensive pentest report Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) in January 2020. IVPN has also said they plan to have [annual reports](https://www.ivpn.net/blog/independent-security-audit-concluded) in the future. + +??? check "Open Source Clients" + + As of Feburary 2020 [IVPN applications are now open source](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Source code can be obtained from their [GitHub organization](https://github.com/ivpn). + +??? check "Accepts Bitcoin" + + In addition to accepting credit/debit cards and PayPal, IVPN accepts **Bitcoin**, **Monero** and **cash/local currency** (on annual plans) as anonymous forms of payment. + +??? check "WireGuard Support" + + IVPN supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com)[^1] is a newer protocol that utilizes state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + + IVPN [recommends](https://www.ivpn.net/wireguard/) the use of WireGuard with their service and, as such, the protocol is the default on all of IVPN's apps. IVPN also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +??? check "Remote Port Forwarding" + + Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is possible with a Pro plan. Port forwarding [can be activated](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) via the client area. Port forwarding is only available on IVPN when using WireGuard or OpenVPN protocols and is [disabled on US servers](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html). + +??? check "Mobile Clients" + + In addition to providing standard OpenVPN configuration files, IVPN has mobile clients for [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683) and [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client) allowing for easy connections to their servers. The mobile client on Android is also available in [F-Droid](https://f-droid.org/en/packages/net.ivpn.client), which ensures that it is compiled with [reproducible builds](https://www.f-droid.org/en/2019/05/05/trust-privacy-and-free-software.html). + +??? info "Additional Functionality" + + IVPN clients support two factor authentication (Mullvad and ProtonVPN clients do not). IVPN also provides "[AntiTracker](https://www.ivpn.net/antitracker)" functionality, which blocks advertising networks and trackers from the network level. + +## Our Criteria + +!!! danger + + It is important to note that using a VPN provider will not make you anonymous, but it will give you better privacy in certain situations. A VPN is not a tool for illegal activities. Don't rely on a "no log" policy. + +**Please note we are not affiliated with any of the providers we recommend. This allows us to provide completely objective recommendations.** We have developed a clear set of requirements for any VPN provider wishing to be recommended, including strong encryption, independent security audits, modern technology, and more. We suggest you familiarize yourself with this list before choosing a VPN provider, and conduct your own research to ensure the VPN provider you choose is as trustworthy as possible. + +### Jurisdiction + +Operating outside the five/nine/fourteen-eyes countries is not a guarantee of privacy necessarily, and there are other factors to consider. However, we believe that avoiding these countries is important if you wish to avoid mass government dragnet surveillance, especially from the United States. + +**Minimum to Qualify:** + +- Operating outside the USA or other Five Eyes countries. + +**Best Case:** + +- Operating outside the USA or other Fourteen Eyes countries. +- Operating inside a country with strong consumer protection laws. + +### Technology + +We require all our recommended VPN providers to provide OpenVPN configuration files to be used in any client. **If** a VPN provides their own custom client, we require a killswitch to block network data leaks when disconnected. + +**Minimum to Qualify:** + +- Support for strong protocols such as WireGuard & OpenVPN. +- Killswitch built in to clients. +- Multihop support. Multihopping is important to keep data private in case of a single node compromise. +- If VPN clients are provided, they should be [open source](https://en.wikipedia.org/wiki/Open_source), like the VPN software they generally have built into them. We believe that [source code](https://en.wikipedia.org/wiki/Source_code) availability provides greater transparency to the user about what their device is actually doing. We like to see these applications [available in F-Droid](https://www.f-droid.org/en/2019/05/05/trust-privacy-and-free-software.html). + +**Best Case:** + +- WireGuard and OpenVPN support. +- Killswitch with highly configurable options (enable/disable on certain networks, on boot, etc.) +- Easy-to-use VPN clients +- Supports [IPv6](https://en.wikipedia.org/wiki/IPv6). We expect that servers will allow incoming connections via IPv6 and allow users to access services hosted on IPv6 addresses. +- Capability of [remote port forwarding](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) assists in creating connections when using P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)) filesharing software, Freenet, or hosting a server (e.g., Mumble). + +### Privacy + +We prefer our recommended providers to collect as little data as possible. Not collecting personal information on registration, and accepting anonymous forms of payment are required. + +**Minimum to Qualify:** + +- Bitcoin or cash payment option. +- No personal information required to register: Only username, password, and email at most. + +**Best Case:** + +- Accepts Bitcoin, cash, and other forms of cryptocurrency and/or anonymous payment options (gift cards, etc.) +- No personal information accepted (autogenerated username, no email required, etc.) + +### Security + +A VPN is pointless if it can't even provide adequate security. We require all our recommended providers to abide by current security standards for their OpenVPN connections. Ideally, they would use more future-proof encryption schemes by default. We also require an independent third-party to audit the provider's security, ideally in a very comprehensive manner and on a repeated (yearly) basis. + +**Minimum to Qualify:** + +- Strong Encryption Schemes: OpenVPN with SHA-256 authentication; RSA-2048 or better handshake; AES-256-GCM or AES-256-CBC data encryption. +- Perfect Forward Secrecy (PFS). +- Published security audits from a reputable third-party firm. + +**Best Case:** + +- Strongest Encryption: RSA-4096. +- Perfect Forward Secrecy (PFS). +- Comprehensive published security audits from a reputable third-party firm. +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your internet data? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the VPN providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self host analytics (no Google Analytics etc). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for those users who want to opt-out. + +Must not have any marketing which is irresponsible: + +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know users can quite easily deanonymize themselves in a number of ways, eg: + +- Reusing personal information eg. (email accounts, unique pseudonyms etc) that they accessed without anonymity software (Tor, VPN etc) +- [Browser fingerprinting](https://privacyguides.org/browsers/#fingerprint) + +- Claim that a single circuit VPN is "more anonymous" than Tor, which is a circuit of 3 or more hops that regularly changes. +- Use responsible language, eg it is okay to say that a VPN is "disconnected" or "not connected", however claiming that a user is "exposed", "vulnerable" or "compromised" is needless use of alarming language that may be incorrect. For example the visiting user might be on another VPN provider's service or using Tor. + +**Best Case:** + +Responsible marketing that is both educational and useful to the consumer could include: + +- An accurate comparison to when Tor or other [Self contained networks](https://privacyguides.org/software/networks/) should be used. +- Availability of the VPN provider's website over a .onion [Hidden Service](https://en.wikipedia.org/wiki/.onion) + +### Additional Functionality + +While not strictly requirements, there are some factors we looked into when determining which providers to recommend. These include adblocking/tracker-blocking functionality, warrant canaries, multihop connections, excellent customer support, the number of allowed simultaneous connections, etc. + +## VPN Overview + +### Should I use a VPN? + +**Yes**, unless you are already using Tor. A VPN does 2 things: shifting the risks from your Internet Service Provider to itself and hiding your IP from a third party service. + +VPNs cannot encrypt data outside of the connection between your device and the VPN server. VPN providers can see and modify your traffic the same way your ISP could. And there is no way to verify a VPN provider's "no logging" policies in any way. + +However, they do hide your actual IP from a third party service, provided that there are no IP leaks. They help you blend in with others and mitigate IP based tracking. + +### What about encryption? + +Encryption offered by VPN providers are between your devices and their servers. It guarantees that this specific link is secure. This is a step up from using unencrypted proxies where an adversary on the network can intercept the communications between your devices and said proxies and modify them. However, encryption between your apps or browsers with the service providers are not handled by this encryption. + +In order to keep what you actually do on the websites you visit private and secure, you must use HTTPS. This will keep your passwords, session tokens, and queries safe from the VPN provider. Consider enabling "HTTPS everywhere" in your browser to mitigate downgrade attacks like [SSL Strip](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf). + +### Should I use encrypted DNS with a VPN? + +Unless your VPN provider hosts the encrypted DNS servers, **no**. Using DOH/DOT (or any other form of encrypted DNS) with third party servers will simply add more entities to trust, and does **absolutely nothing** to improve your privacy/security. Your VPN provider can still see which websites you visit based on the IP addresses and other methods. Instead of just trusting your VPN provider, you are now trusting both the VPN provider and the DNS provider. + +A common reason to recommend encrypted DNS is that it helps against DNS spoofing. However, your browser should already be checking for [TLS certificates](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) with **HTTPS** and warn you about it. If you are not using **HTTPS**, then an adversary can still just modify anything other than your DNS queries and the end result will be little different. + +Needless to say, **you shouldn't use encrypted DNS with Tor**. This would direct all of your DNS requests through a single circuit, and would allow the encrypted DNS provider to deanonymize you. + +### Should I use Tor _and_ a VPN? + +By using a VPN with Tor, you're creating essentially a permanent entry node, often with a money trail attached. This provides zero additional benefit to you, while increasing the attack surface of your connection dramatically. If you wish to hide your Tor usage from your ISP or your government, Tor has a built-in solution for that: Tor bridges. [Read more about Tor bridges and why using a VPN is not necessary](https://web.archive.org/web/20210116140725/https://write.privacytools.io/my-thoughts-on-security/slicing-onions-part-2-onion-recipes-vpn-not-required). + +### What if I need anonymity? + +VPNs cannot provide anonymity. Your VPN provider will still see your real IP address, and often has a money trail that can be linked directly back to you. You cannot rely on "no logging" policies to protect your data. Use [Tor](https://www.torproject.org/) instead. + +### What about VPN providers that provides Tor nodes? + +Do not use that feature. The point of using Tor is that you do not trust your VPN provider. Currently Tor only supports the [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) protocol. [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (used in [WebRTC](https://en.wikipedia.org/wiki/WebRTC) for voice and video sharing, the new [http3/QUIC](https://en.wikipedia.org/wiki/HTTP/3) protocol, etc), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) and other packets will be dropped. To compensate for this, VPN providers typically will route all non TCP packets through their VPN server (your first hop). This is the case with [ProtonVPN](https://protonvpn.com/support/tor-vpn/). Additionally, when using this Tor over VPN setup, you do not have control over other important Tor features such as [Isolated Destination Address](https://www.whonix.org/wiki/Stream_Isolation) (using a different Tor circuit for every domain you visit). + +Thus, this feature should be viewed as a convenient way to access the Tor Network, not to stay annonymous. For true anonimity, use the Tor Browser Bundle, TorSocks, or a Tor gateway. + +### When are VPNs useful? + +A VPN may still be useful to you in a variety of scenarios, such as: + +1. Hiding your traffic from **only** your Internet Service Provider. +2. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations. +3. Hiding your IP from third party websites and services, preventing IP based tracking. + +For use cases like these, or if you have another compelling reason, the VPN providers we listed above are who we think are the most trustworthy. However, using a VPN provider still means you're _trusting_ the provider. In pretty much any other scenario you should be using a secure**-by-design** tool such as Tor. + +### Sources and Further Reading + +1. [VPN - a Very Precarious Narrative](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) by Dennis Schubert +2. [The self-contained networks](https://privacyguides.org/software/networks/) recommended by Privacy Guides are able to replace a VPN that allows access to services on local area network +3. [Slicing Onions: Part 1 – Myth-busting Tor](https://medium.com/privacyguides/slicing-onions-part-1-myth-busting-tor-9ec188ae1904) by blacklight447 +4. [Slicing Onions: Part 2 – Onion recipes; VPN not required](https://web.archive.org/web/20210116140725/https://write.privacytools.io/my-thoughts-on-security/slicing-onions-part-2-onion-recipes-vpn-not-required) by blacklight447 +5. [IVPN Privacy Guides](https://www.ivpn.net/privacy-guides/) + +[^1]: "WireGuard" and the "WireGuard" logo are registered trademarks of Jason A. Donenfeld. + +## Related VPN information + +- [The Trouble with VPN and Privacy Review Sites](https://medium.com/privacyguides/the-trouble-with-vpn-and-privacy-review-sites-ae9b29eda8fd) +- [Proxy.sh VPN Provider Sniffed Server Traffic to Catch Hacker](https://torrentfreak.com/proxy-sh-vpn-provider-monitored-traffic-to-catch-hacker-130930/) +- [blackVPN announced to delete connection logs after disconnection](https://medium.com/@blackVPN/no-logs-6d65d95a3016) +- [Don't use LT2P IPSec, use other protocols.](https://gist.github.com/kennwhite/1f3bc4d889b02b35d8aa) +- [Free VPN App Investigation](https://www.top10vpn.com/free-vpn-app-investigation/) +- [Hidden VPN owners unveiled: 101 VPN products run by just 23 companies](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/) +- [This Chinese company is secretly behind 24 popular apps seeking dangerous permissions](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/) + +## VPN Related breaches - why external auditing is important! + +- ["Zero logs" VPN exposes millions of logs including user passwords, claims data is anonymous](https://www.comparitech.com/blog/vpn-privacy/ufo-vpn-data-exposure/) July 2020 +- [NordVPN HTTP POST bug exposed customer information, no authentication required](https://www.zdnet.com/article/nordvpn-http-post-bug-exposed-sensitive-customer-information/) March 2020 +- [Row erupts over who to blame after NordVPN says: One of our servers was hacked via remote management tool](https://www.theregister.com/2019/10/21/nordvpn_security_issue/) October 2019 +- [VPN servers seized by Ukrainian authorities weren't encrypted and allowed authorities to impersonate Windscribe servers and capture and decrypt traffic passing through them](https://arstechnica.com/gadgets/2021/07/vpn-servers-seized-by-ukrainian-authorities-werent-encrypted/) July 2021 diff --git a/feed.json b/feed.json deleted file mode 100644 index 66c1df11..00000000 --- a/feed.json +++ /dev/null @@ -1,25 +0,0 @@ ---- -layout: null ---- -{ - "version": "https://jsonfeed.org/version/1", - "title": "{{ site.title | xml_escape }}", - "description": {{ site.description | jsonify }}, - "home_page_url": "{{ "/" | absolute_url }}", - "feed_url": "{{ "/feed.json" | absolute_url }}", - "user_comment": "This feed allows you to read the posts from this site in any feed reader that supports the JSON Feed format.", - "items": [{% for post in site.posts %} - { - "id": "{{ post.url | absolute_url }}", - "url": "{{ post.url | absolute_url }}", - "title": {{ post.title | jsonify }}, - "content_html": {{ post.content | jsonify }}, - "date_published": "{{ post.date | date_to_xmlschema }}", - "authors": [{% for author in post.author %} - { - "name": "{{ author }}" - }{% unless forloop.last %}, {% endunless %}{% endfor %} - ] - }{% unless forloop.last %},{% endunless %}{% endfor %} - ] -} \ No newline at end of file diff --git a/feed.xml b/feed.xml deleted file mode 100644 index 4b4f1297..00000000 --- a/feed.xml +++ /dev/null @@ -1,106 +0,0 @@ ---- -layout: null -collection: posts ---- - - -{% if page.xsl %} - -{% endif %} - - - - {{ site.time | date_to_xmlschema }} - {{ page.url | absolute_url | xml_escape }} - - {% assign title = site.title | default: site.name %} - {% if page.collection != "posts" %} - {% assign collection = page.collection | capitalize %} - {% assign title = title | append: " | " | append: collection %} - {% endif %} - {% if page.category %} - {% assign category = page.category | capitalize %} - {% assign title = title | append: " | " | append: category %} - {% endif %} - - {% if title %} - {{ title | smartify | xml_escape }} - {% endif %} - - {% if site.description %} - {{ site.description | xml_escape }} - {% endif %} - - {% if site.author %} - - {{ site.author.name | default: site.author | xml_escape }} - {% if site.author.email %} - {{ site.author.email | xml_escape }} - {% endif %} - {% if site.author.uri %} - {{ site.author.uri | xml_escape }} - {% endif %} - - {% endif %} - - {% if page.tags %} - {% assign posts = site.tags[page.tags] %} - {% else %} - {% assign posts = site[page.collection] %} - {% endif %} - {% if page.category %} - {% assign posts = posts | where: "categories", page.category %} - {% endif %} - {% unless site.show_drafts %} - {% assign posts = posts | where_exp: "post", "post.draft != true" %} - {% endunless %} - {% assign posts = posts | sort: "date" | reverse %} - {% assign posts_limit = site.feed.posts_limit | default: 10 %} - {% for post in posts limit: posts_limit %} - - {% assign post_title = post.title | smartify | strip_html | normalize_whitespace | xml_escape %} - - {{ post_title }} - - {{ post.date | date_to_xmlschema }} - {{ post.last_modified_at | default: post.date | date_to_xmlschema }} - {{ post.id | absolute_url | xml_escape }} - {% assign excerpt_only = post.feed.excerpt_only | default: site.feed.excerpt_only %} - {% unless excerpt_only %} - - {% endunless %} - - {% for author in post.author %} - - {{ author | xml_escape }} - - {% endfor %} - - {% if post.category %} - - {% elsif post.categories %} - {% for category in post.categories %} - - {% endfor %} - {% endif %} - - {% for tag in post.tags %} - - {% endfor %} - - {% assign post_summary = post.description | default: post.excerpt %} - {% if post_summary and post_summary != empty %} - - {% endif %} - - {% assign post_image = post.image.path | default: post.image %} - {% if post_image %} - {% unless post_image contains "://" %} - {% assign post_image = post_image | absolute_url %} - {% endunless %} - - - {% endif %} - - {% endfor %} - \ No newline at end of file diff --git a/index.html b/index.html deleted file mode 100644 index 0356a2d6..00000000 --- a/index.html +++ /dev/null @@ -1,98 +0,0 @@ ---- -layout: default ---- - -
-
-
-
-

The guide to restoring your online privacy.

-
Massive organizations are monitoring your online activities. Privacy Guides is your central privacy and security resource to protect yourself online.
-
-
- {% include svg/surveillance-eye.svg %} -
-
-
-
- -
- -
-
- {% include svg/phone-like-icon.svg %} -
-
-

Why should I care?

-
“I have nothing to hide. Why should I care about my privacy?”
-

Much like the right to interracial marriage, woman's suffrage, freedom of speech, and many others, we didn't always have the right to privacy. In several dictatorships, many still don't. Generations before ours fought for our right to privacy. Privacy is a human right inherent to all of us that we are entitled to without discrimination.

-

You shouldn't confuse privacy with secrecy. We know what happens in the bathroom, but you still close the door. That's because you want privacy, not secrecy. Everyone has something to hide, privacy is something that makes you human.

-
-
- -
-
-

What should I do?

-
First, you need to make a plan.
-

Trying to protect all your data from everyone all the time is impractical, expensive, and exhausting. But don't worry! Security is a process, and by thinking ahead you can put together a plan that's right for you. Security isn't just about the tools you use or the software you download. Rather, it begins with understanding the unique threats you face, and how you can counter them.

-

This process of identifying threats and defining countermeasures is called threat modeling, and it forms the basis of every good security and privacy plan.

- Learn More About Threat Modeling -
-
- {% include svg/plan-icon.svg %} -
-
- -
- -
-
-
-

We need you! Here's how to get involved

-
- -

It's important for a website like Privacy Guides to always stay up-to-date. We need our audience to keep an eye on software updates for the applications listed on our site and follow recent news about providers that we recommend. We try our best to keep up, but we're not perfect and the internet is changing fast. If you find an error, think a provider should not be listed here, notice a qualified service provider is missing, believe a browser plugin is not the best choice anymore, or uncover anything else... Talk to us please.

-
-
-
- Join r/PrivacyGuides on Reddit -
-
-
-
- Follow @privacy_guides on Twitter -
-
-
-
- Edit This Site on GitHub -
-
-
-
- Chat With Us on Matrix -
-
-
- -
-
-
-

Latest Updates

-
-
-
- {% for post in site.posts limit:2 %} - {% include blog-card.html %} - {% endfor %} -
-
-
- Read More -
-
-
- -
- {% include footer.html %} -
diff --git a/legacy_pages/providers/email.html b/legacy_pages/providers/email.html deleted file mode 100644 index 07f74e63..00000000 --- a/legacy_pages/providers/email.html +++ /dev/null @@ -1,274 +0,0 @@ ---- -layout: page -permalink: /providers/email/ -title: "Private Email Providers" -description: "Find a secure email provider that will keep your privacy in mind. Don't settle for ad-supported platforms. Never trust any company with your privacy, always encrypt." ---- - -{% include legacy/sections/email-warning.html %} - -{% include legacy/sections/email-providers.html %} - -
-

Our Email Provider Criteria

- -

Please note we are not affiliated with any of the providers we recommend. This allows us to provide completely objective recommendations. We have developed a clear set of requirements for any Email provider wishing to be recommended, including implementing industry best practices, modern technology and more. We suggest you familiarize yourself with this list before choosing an Email provider, and conduct your own research to ensure the Email provider you choose is the right choice for you.

- -
-
-
-

{% include badge.html color="info" text="Jurisdiction" %}

-

Operating outside the five/nine/fourteen-eyes countries is not necessarily a guarantee of privacy, and there are other factors to consider.

-
-
-

Minimum to Qualify:

-
    -
  • Operating outside the USA or other Five Eyes countries.
    • -
-
-
-

Best Case:

-
    -
  • Operating outside the USA or other Fourteen Eyes countries.
    • -
  • Operating inside a country with strong consumer protection laws.
    • -
-
- -
-

{% include badge.html color="info" text="Technology" %}

-

We regard these features as important in order to provide a safe and optimal service to users. Users should consider the provider which has the features they require.

-
-
-

Minimum to Qualify:

-
    -
  • Encrypts account data at rest.
    • -
  • Integrated webmail encryption provides convenience to users who want improve on having no E2EE encryption.
    • -
-
-
-

Best Case:

-
    -
  • Encrypts account data at rest with zero-access encryption.
    • -
  • Allow users to use their own domain name. Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad, be acquired by another company which doesn't prioritize privacy etc.
    • -
  • Support for WKD to allow improved discovery of public OpenPGP keys via HTTP.
    GnuPG users can get a key by typing: gpg --locate-key example_user@example.com
    • -
  • Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP.
    • -
  • Availability of the email provider's services via an onion service.
    • -
  • Subaddressing support.
    • -
  • Catch all or aliases for users who own their own domains.
    • -
  • Use of standard email access protocols such as IMAP, SMTP or JMAP. Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider.
    • -
-
- -
-

{% include badge.html color="info" text="Privacy" %}

-

We prefer our recommended providers to collect as little data as possible.

-
-
-

Minimum to Qualify:

-
    -
  • Protect sender's IP address. Filter it from showing in the Received header field.
    • -
  • Don't require personally identifiable information (PII) besides username and password.
    • -
  • Privacy policy that meets the requirements defined by the GDPR
    • -
-
-
-

Best Case:

-
    -
  • Accepts Bitcoin, cash, and other forms of cryptocurrency and/or anonymous payment options (gift cards, etc.)
    • -
-
- -
-

{% include badge.html color="info" text="Security" %}

-

Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their users.

-
-
-

Minimum to Qualify:

- -
-
-

Best Case:

-
    -
  • Support for hardware authentication, ie U2F and WebAuthn. U2F and WebAuthn are more secure as they use a private key stored on a client-side hardware device to authenticate users, as opposed to a shared secret that is stored on the web server and on the client side when using TOTP. Furthermore, U2F and WebAuthn are more resistant to phishing as their authentication response is based on the authenticated domain name.
    • -
  • Zero access encryption, builds on encryption at rest. The difference being the provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server.
    • -
  • DNS Certification Authority Authorization (CAA) Resource Record in addition to DANE support.
    • -
  • Implementation of Authenticated Received Chain (ARC), this is useful for users who post to mailing lists RFC8617.
    • -
  • Bug-bounty programs and/or a coordinated vulnerability-disclosure process.
    • -
  • Website security standards such as:
    • - -
-
- -
-

{% include badge.html color="info" text="Trust" %}

-

You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled.

-
-
-

Minimum to Qualify:

-
    -
  • Public-facing leadership or ownership.
    • -
-
-
-

Best Case:

-
    -
  • Public-facing leadership.
    • -
  • Frequent transparency reports.
    • -
-
- -
-

{% include badge.html color="info" text="Marketing" %}

-

With the email providers we recommend we like to see responsible marketing.

-
-
-

Minimum to Qualify:

-
    -
  • Must self host analytics (no Google Analytics etc). The provider's site must also comply with DNT (Do Not Track) for those users who want to opt-out.
    • -
-

Must not have any marketing which is irresponsible:

-
    -
  • Claims of "unbreakable encryption". Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it.
    • -
  • Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know users can quite easily deanonymize themselves in a number of ways, e.g.:
    • -
      -
    • Reusing personal information e.g. (email accounts, unique pseudonyms etc) that they accessed without anonymity software (Tor, VPN etc)
      • -
    • Browser fingerprinting
      • -
    -
-
-
-

Best Case:

-
    -
  • Clear and easy to read documentation. This includes things like, setting up 2FA, email clients, OpenPGP, etc.
    • -
-
- -
-

{% include badge.html color="info" text="Additional Functionality" %}

-

While not strictly requirements, there are some factors we looked into when determining which providers to recommend.

-
-
-
-
- -

Email encryption

-
-
-
-

What is end-to-end encryption (E2EE) encryption in email?

-

End-to-end encryption (E2EE) is a way of encrypting email contents so that nobody but the recipient(s) can read the email message.

-

How can I encrypt my email?

-

The standard way to do email E2EE and have it work between different email providers is with OpenPGP. There are different implementations of the OpenPGP standard, the most common being GnuPG and OpenPGP.js.

-

There is another standard that was popular with business called S/MIME, however it requires a certificate issued from a Certificate Authority (not all of them issue S/MIME certificates). It has support in Google Workplace and Outlook for Web or Exchange Server 2016, 2019.

-

What software can I use to get E2EE?

-

Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the email clients we recommend. This can be less secure as you are now relying on email providers to ensure that their encryption implementation works and has not been compromised in anyway.

-
-
-

How do I protect my private keys?

-

A smartcard (such as a Yubikey or Nitrokey) works by receiving an encrypted email message from a device (phone, tablet, computer etc) running an email/webmail client. The message is then decrypted by the smartcard and the decrypted content is sent back to the device.

-

It is advantageous for the decryption to occur on the smartcard so as to avoid possibly exposing your private key to a compromised device.

-
-
-
- -

Email metadata

-
-
-
-

Who can see the email metadata?

-

Email metadata is able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients. Sometimes email servers will also use external parties to protect against spam.

-

What is email metadata?

-

Email software will often show some visible headers that you may have seen such as: To, From, Cc, Date, Subject. -

-

When is email metadata used?

-

Client software may use it to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among other purposes not transparent to the user.

-
-
-

Where is the email metadata?

-

Email metadata is stored in the message header of the email message.

-

Why can't email metadata be E2EE?

-

Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally and is also optional, therefore, only the message content is protected.

-

How is my metadata protected?

-

When emails travel between email providers an encrypted connection is negotiated using Opportunistic TLS. This protects the metadata from outside observers, but as it is not E2EE, server administrators can snoop on the metadata of an email.

-
-
-
- -
- -

Email cloaking services

-
- - AnonAddy - -
-

AnonAddy lets users create aliases that forward to their email address. Can be self-hosted. Source code on GitHub.

- - SimpleLogin - -
-

SimpleLogin allows you to easily create aliases for your email. Can be self-hosted. Source code on GitHub.

-
- -

Self-hosting Email

-
-

Advanced users may consider setting up their own email server. Mailservers require attention and continuous maintenance in order to keep things secure and mail delivery reliable.

-

Combined software solutions

- - Mail-in-a-Box - -
-

Mail-in-a-Box is an automated setup script for deploying a mail server on Ubuntu. Its goal is to make it easier for users to set up their own mail server.

-
- - Mailcow - -

Mailcow is a more advanced mail server perfect for those with a bit more Linux experience. It has everything you need in a Docker container: A mailserver with DKIM support, antivirus and spam monitoring, webmail and ActiveSync with SOGo, and web-based administration with 2FA support. Mailcow Dockerized docs

- -
-
-

For a more manual approach we've picked out these two articles.

- -
- -

Related Email Articles

-
-
- -
-
diff --git a/legacy_pages/providers/social-networks.html b/legacy_pages/providers/social-networks.html deleted file mode 100644 index 0cc5dd68..00000000 --- a/legacy_pages/providers/social-networks.html +++ /dev/null @@ -1,21 +0,0 @@ ---- -layout: page -permalink: /providers/social-networks/ -title: "Social Networks" -description: "Find a social network that doesn't pry into your data or monetize your profile." ---- - -{% include legacy/sections/social-networks.html %} - -

Related Information

-
    -
  • JustDeleteMe - A directory of direct links to delete your account from web services.
    • -
  • Forget - A service that automatically deletes your old posts on Twitter and Mastodon that everyone has forgotten about.
    • -
- -

Facebook Related

- diff --git a/legacy_pages/providers/social-news-aggregator.html b/legacy_pages/providers/social-news-aggregator.html deleted file mode 100644 index d0c341d3..00000000 --- a/legacy_pages/providers/social-news-aggregator.html +++ /dev/null @@ -1,8 +0,0 @@ ---- -layout: page -permalink: /providers/social-news-aggregator/ -title: "Social News Aggregator" -description: "Stay up-to-date with privacy-respecting online bulletin boards." ---- - -{% include legacy/sections/social-news-aggregator.html %} diff --git a/legacy_pages/providers/vpn.html b/legacy_pages/providers/vpn.html deleted file mode 100644 index bfdc2c79..00000000 --- a/legacy_pages/providers/vpn.html +++ /dev/null @@ -1,287 +0,0 @@ ---- -layout: page -permalink: /providers/vpn/ -title: "VPN Services" -description: "Find a no-logging VPN operator who isn't out to sell or read your web traffic." ---- - -
-
Warning
-
-

Using a VPN will not keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic.

-

If you are looking for anonymity, you should use the Tor Browser instead of a VPN.

-

If you're looking for added security, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices.

-

If you're looking for additional privacy from your ISP, on a public Wi-Fi network, or while torrenting files, a VPN may be the solution for you as long as you understand the risks involved.

- Download Tor - Tor Myths & FAQ - More Info -
-
- -{% include legacy/sections/vpn.html %} - -
-

Our VPN Provider Criteria

- -

Please note we are not affiliated with any of the providers we recommend. This allows us to provide completely objective recommendations. We have developed a clear set of requirements for any VPN provider wishing to be recommended, including strong encryption, independent security audits, modern technology, and more. We suggest you familiarize yourself with this list before choosing a VPN provider, and conduct your own research to ensure the VPN provider you choose is as trustworthy as possible.

- -
-
-
-

{% include badge.html color="info" text="Jurisdiction" %}

-

Operating outside the five/nine/fourteen-eyes countries is not a guarantee of privacy necessarily, and there are other factors to consider. However, we believe that avoiding these countries is important if you wish to avoid mass government dragnet surveillance, especially from the United States.

-
-
-

Minimum to Qualify:

-
    -
  • Operating outside the USA or other Five Eyes countries.
    • -
-
-
-

Best Case:

-
    -
  • Operating outside the USA or other Fourteen Eyes countries.
    • -
  • Operating inside a country with strong consumer protection laws.
    • -
-
- -
-

{% include badge.html color="info" text="Technology" %}

-

We require all our recommended VPN providers to provide OpenVPN configuration files to be used in any client. If a VPN provides their own custom client, we require a killswitch to block network data leaks when disconnected.

-
-
-

Minimum to Qualify:

-
    -
  • Support for strong protocols such as WireGuard & OpenVPN.
    • -
  • Killswitch built in to clients.
    • -
  • Multihop support. Multihopping is important to keep data private in case of a single node compromise.
    • -
  • If VPN clients are provided, they should be open source, like the VPN software they generally have built into them. We believe that source code availability provides greater transparency to the user about what their device is actually doing. We like to see these applications available in F-Droid.
    • -
-
-
-

Best Case:

-
    -
  • WireGuard and OpenVPN support.
    • -
  • Killswitch with highly configurable options (enable/disable on certain networks, on boot, etc.)
    • -
  • Easy-to-use VPN clients
    • -
  • Supports IPv6. We expect that servers will allow incoming connections via IPv6 and allow users to access services hosted on IPv6 addresses.
    • -
  • Capability of remote port forwarding assists in creating connections when using P2P (Peer-to-Peer) filesharing software, Freenet, or hosting a server (e.g., Mumble).
    • -
-
- -
-

{% include badge.html color="info" text="Privacy" %}

-

We prefer our recommended providers to collect as little data as possible. Not collecting personal information on registration, and accepting anonymous forms of payment are required.

-
-
-

Minimum to Qualify:

-
    -
  • Bitcoin or cash payment option.
    • -
  • No personal information required to register: Only username, password, and email at most.
    • -
-
-
-

Best Case:

-
    -
  • Accepts Bitcoin, cash, and other forms of cryptocurrency and/or anonymous payment options (gift cards, etc.)
    • -
  • No personal information accepted (autogenerated username, no email required, etc.)
    • -
-
- -
-

{% include badge.html color="info" text="Security" %}

-

A VPN is pointless if it can't even provide adequate security. We require all our recommended providers to abide by current security standards for their OpenVPN connections. Ideally, they would use more future-proof encryption schemes by default. We also require an independent third-party to audit the provider's security, ideally in a very comprehensive manner and on a repeated (yearly) basis.

-
-
-

Minimum to Qualify:

-
    -
  • Strong Encryption Schemes: OpenVPN with SHA-256 authentication; RSA-2048 or better handshake; AES-256-GCM or AES-256-CBC data encryption.
    • -
  • Perfect Forward Secrecy (PFS).
    • -
  • Published security audits from a reputable third-party firm.
    • -
-
-
-

Best Case:

-
    -
  • Strongest Encryption: RSA-4096.
    • -
  • Perfect Forward Secrecy (PFS).
    • -
  • Comprehensive published security audits from a reputable third-party firm.
    • -
  • Bug-bounty programs and/or a coordinated vulnerability-disclosure process.
    • -
-
- -
-

{% include badge.html color="info" text="Trust" %}

-

You wouldn't trust your finances to someone with a fake identity, so why trust them with your internet data? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled.

-
-
-

Minimum to Qualify:

-
    -
  • Public-facing leadership or ownership.
    • -
-
-
-

Best Case:

-
    -
  • Public-facing leadership.
    • -
  • Frequent transparency reports.
    • -
-
- -
-

{% include badge.html color="info" text="Marketing" %}

-

With the VPN providers we recommend we like to see responsible marketing.

-
-
-

Minimum to Qualify:

-
    -
  • Must self host analytics (no Google Analytics etc). The provider's site must also comply with DNT (Do Not Track) for those users who want to opt-out.
    • -
-

Must not have any marketing which is irresponsible:

-
    -
  • Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know users can quite easily deanonymize themselves in a number of ways, eg:
    • -
      -
    • Reusing personal information eg. (email accounts, unique pseudonyms etc) that they accessed without anonymity software (Tor, VPN etc)
      • -
    • Browser fingerprinting
      • -
    -
  • Claim that a single circuit VPN is "more anonymous" than Tor, which is a circuit of 3 or more hops that regularly changes.
    • -
  • Use responsible language, eg it is okay to say that a VPN is "disconnected" or "not connected", however claiming that a user is "exposed", "vulnerable" or "compromised" is needless use of alarming language that may be incorrect. For example the visiting user might be on another VPN provider's service or using Tor.
    • -
-
-
-

Best Case:

-

Responsible marketing that is both educational and useful to the consumer could include:

- -
- -
-

{% include badge.html color="info" text="Additional Functionality" %}

-

While not strictly requirements, there are some factors we looked into when determining which providers to recommend. These include adblocking/tracker-blocking functionality, warrant canaries, multihop connections, excellent customer support, the number of allowed simultaneous connections, etc.

-
-
-
-
- -

Further Information

- -
-
-
-

Should I use a VPN?

-

Yes, unless you are already using Tor. A VPN does 2 things: shifting the risks from your Internet Service Provider to itself and hiding your IP from a third party service.

-

VPNs cannot encrypt data outside of the connection between your device and the VPN server. VPN providers can see and modify your traffic the same way your ISP could. And there is no way to verify a VPN provider's "no logging" policies in any way.

-

However, they do hide your actual IP from a third party service, provided that there are no IP leaks. They help you blend in with others and mitigate IP based tracking.

-

What about encryption?

-

Encryption offered by VPN providers are between your devices and their servers. It guarantees that this specific link is secure. This is a step up from using unencrypted proxies where an adversary on the network can intercept the communications between your devices and said proxies and modify them. However, encryption between your apps or browsers with the service providers are not handled by this encryption.

-

In order to keep what you actually do on the websites you visit private and secure, you must use HTTPS. This will keep your passwords, session tokens, and queries safe from the VPN provider. Consider enabling "HTTPS everywhere" in your browser to mitigate downgrade attacks like SSL Strip.

-

Should I use encrypted DNS with a VPN?

-

Unless your VPN provider hosts the encrypted DNS servers, no. Using DOH/DOT (or any other form of encrypted DNS) with third party servers will simply add more entities to trust, and does absolutely nothing to improve your privacy/security. Your VPN provider can still see which websites you visit based on the IP addresses and other methods. Instead of just trusting your VPN provider, you are now trusting both the VPN provider and the DNS provider.

-

A common reason to recommend encrypted DNS is that it helps against DNS spoofing. However, your browser should already be checking for TLS certificates with HTTPS and warn you about it. If you are not using HTTPS, then an adversary can still just modify anything other than your DNS queries and the end result will be little different.

-

Needless to say, you shouldn't use encrypted DNS with Tor. This would direct all of your DNS requests through a single circuit, and would allow the encrypted DNS provider to deanonymize you.

-
-
-

Should I use Tor and a VPN?

-

By using a VPN with Tor, you're creating essentially a permanent entry node, often with a money trail attached. This provides zero additional benefit to you, while increasing the attack surface of your connection dramatically. If you wish to hide your Tor usage from your ISP or your government, Tor has a built-in solution for that: Tor bridges. Read more about Tor bridges and why using a VPN is not necessary.

-

What if I need anonymity?

-

VPNs cannot provide anonymity. Your VPN provider will still see your real IP address, and often has a money trail that can be linked directly back to you. You cannot rely on "no logging" policies to protect your data. Use Tor instead.

-

What about VPN providers that provides Tor nodes?

-

Do not use that feature. The point of using Tor is that you do not trust your VPN provider. Currently Tor only supports the TCP protocol. UDP (used in WebRTC for voice and video sharing, the new http3/QUIC protocol, etc), ICMP and other packets will be dropped. To compensate for this, VPN providers typically will route all non TCP packets through their VPN server (your first hop). This is the case with ProtonVPN. Additionally, when using this Tor over VPN setup, you do not have control over other important Tor features such as Isolated Destination Address (using a different Tor circuit for every domain you visit).

-

Thus, this feature should be viewed as a convenient way to access the Tor Network, not to stay annonymous. For true anonimity, use the Tor Browser Bundle, TorSocks, or a Tor gateway.

-

When are VPNs useful?

-

A VPN may still be useful to you in a variety of scenarios, such as:

-
    -
  1. Hiding your traffic from only your Internet Service Provider.
    2. -
  2. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations.
    3. -
  3. Hiding your IP from third party websites and services, preventing IP based tracking.
    4. -
-

For use cases like these, or if you have another compelling reason, the VPN providers we listed above are who we think are the most trustworthy. However, using a VPN provider still means you're trusting the provider. In pretty much any other scenario you should be using a secure-by-design tool such as Tor.

-
-
-
-
-

Sources and Further Reading: -

    -
  1. VPN - a Very Precarious Narrative by Dennis Schubert
    2. -
  2. The self-contained networks recommended by Privacy Guides are able to replace a VPN that allows access to services on local area network
    3. -
  3. Slicing Onions: Part 1 – Myth-busting Tor by blacklight447
    4. -
  4. Slicing Onions: Part 2 – Onion recipes; VPN not required by blacklight447
    5. -
  5. IVPN Privacy Guides
    6. -
-

-

-

Legal:

-

"WireGuard" and the "WireGuard" logo are registered trademarks of Jason A. Donenfeld.

-
-
-
- -
- - - -
- - -
diff --git a/legacy_pages/software/cal-card.html b/legacy_pages/software/cal-card.html deleted file mode 100644 index 24dae557..00000000 --- a/legacy_pages/software/cal-card.html +++ /dev/null @@ -1,8 +0,0 @@ ---- -layout: page -permalink: /software/calendar-contacts/ -title: "Calendar and Contact Sync Tools" -description: "Discover free, open-source, and secure ways to sync your contacts and calendars across your devices." ---- - -{% include legacy/sections/calendar-contacts-sync.html %} diff --git a/legacy_pages/software/email.html b/legacy_pages/software/email.html deleted file mode 100644 index 451d0e94..00000000 --- a/legacy_pages/software/email.html +++ /dev/null @@ -1,11 +0,0 @@ ---- -layout: page -permalink: /software/email/ -title: "Email Clients" -description: "Discover free, open-source, and secure email clients, along with some email alternatives you may not have considered." ---- - -{% include legacy/sections/email-warning.html %} - -{% include legacy/sections/email-clients.html %} - diff --git a/legacy_pages/software/file-encryption.html b/legacy_pages/software/file-encryption.html deleted file mode 100644 index 40f9d153..00000000 --- a/legacy_pages/software/file-encryption.html +++ /dev/null @@ -1,9 +0,0 @@ ---- -layout: page -permalink: /software/file-encryption/ -title: "File Encryption Software" -description: "Get working and collaborating without sharing your documents with a middleman or trusting a cloud provider." ---- - -{% include legacy/sections/file-encryption.html %} - diff --git a/legacy_pages/software/file-sharing.html b/legacy_pages/software/file-sharing.html deleted file mode 100644 index 8a48a165..00000000 --- a/legacy_pages/software/file-sharing.html +++ /dev/null @@ -1,10 +0,0 @@ ---- -layout: page -permalink: /software/file-sharing/ -title: "File Sharing and Sync" -description: "Discover how to privately share your files between your devices, with your friends and family, or anonymously online." ---- - -{% include legacy/sections/file-sharing.html %} - -{% include legacy/sections/file-sync.html %} diff --git a/legacy_pages/software/metadata-removal-tools.html b/legacy_pages/software/metadata-removal-tools.html deleted file mode 100644 index 1b3d6dfc..00000000 --- a/legacy_pages/software/metadata-removal-tools.html +++ /dev/null @@ -1,9 +0,0 @@ ---- -layout: page -permalink: /software/metadata-removal-tools/ -title: "Metadata Removal Tools" -description: "Get working and collaborating without sharing your documents with a middleman or trusting a cloud provider." ---- - -{% include legacy/sections/metadata-removal-tools.html %} - diff --git a/legacy_pages/software/networks.html b/legacy_pages/software/networks.html deleted file mode 100644 index 71c0fe01..00000000 --- a/legacy_pages/software/networks.html +++ /dev/null @@ -1,11 +0,0 @@ ---- -layout: page -permalink: /software/networks/ -title: "Self-Contained Networks" -description: "If you are currently browsing clearnet and want to access the dark web, this section is for you." -hidedesc: true ---- - -{% include legacy/sections/self-contained-networks.html %} - -

Related Information

diff --git a/legacy_pages/software/notebooks.html b/legacy_pages/software/notebooks.html deleted file mode 100644 index 643dee29..00000000 --- a/legacy_pages/software/notebooks.html +++ /dev/null @@ -1,8 +0,0 @@ ---- -layout: page -permalink: /software/notebooks/ -title: "Notebooks" -description: "Keep track of your notes and journalings without giving them to a third party." ---- - -{% include legacy/sections/notebooks.html %} diff --git a/legacy_pages/software/passwords.html b/legacy_pages/software/passwords.html deleted file mode 100644 index cf388855..00000000 --- a/legacy_pages/software/passwords.html +++ /dev/null @@ -1,14 +0,0 @@ ---- -layout: page -permalink: /software/passwords/ -title: "Password Managers" -description: "Stay safe and secure online with an encrypted and open-source password manager." ---- - -{% include legacy/sections/password-managers.html %} - -

Related Information

- - diff --git a/legacy_pages/software/productivity.html b/legacy_pages/software/productivity.html deleted file mode 100644 index 5e239d28..00000000 --- a/legacy_pages/software/productivity.html +++ /dev/null @@ -1,8 +0,0 @@ ---- -layout: page -permalink: /software/productivity/ -title: "Productivity Tools" -description: "Get working and collaborating without sharing your documents with a middleman or trusting a cloud provider." ---- - -{% include legacy/sections/productivity-tools.html %} diff --git a/mkdocs.production.yml b/mkdocs.production.yml new file mode 100644 index 00000000..15b8eab8 --- /dev/null +++ b/mkdocs.production.yml @@ -0,0 +1,5 @@ +INHERIT: mkdocs.yml +site_url: "https://www.privacyguides.org/" +plugins: + - search + - privacy diff --git a/mkdocs.yml b/mkdocs.yml new file mode 100644 index 00000000..f3e19dff --- /dev/null +++ b/mkdocs.yml @@ -0,0 +1,134 @@ +site_name: Privacy Guides +site_description: | + Massive organizations are monitoring your online activities. Privacy Guides is your central privacy and security resource to protect yourself online. +copyright: This content was made available by the Privacy Guides team and contributors. Get involved! +extra: + generator: false + social: + - icon: fontawesome/brands/twitter + link: https://twitter.com/privacy_guides + - icon: fontawesome/brands/github + link: https://github.com/privacyguides + - icon: fontawesome/brands/reddit-alien + link: https://reddit.com/r/PrivacyGuides +repo_url: https://github.com/privacyguides/privacyguides.org +repo_name: privacyguides.org +edit_uri: edit/main/docs/ + +nav: + - Home: 'index.md' + - 'Privacy Introduction': + - 'Threat Modeling': 'threat-modeling.md' + - 'Security Basics': + - 'Multi-Factor Authentication': 'multi-factor-authentication.md' + - 'Recommendations': + - 'Privacy Tools': 'tools.md' + - 'Operating Systems': + - 'Android': 'android.md' + - 'Linux Desktop': 'linux-desktop.md' + - 'QubesOS': 'qubes.md' + - 'Router Firmware': 'router.md' + - 'Browsers': + - 'Web Browsers': 'browsers.md' + - 'Providers': + - 'Cloud Storage': 'cloud.md' + - 'DNS Servers': 'dns.md' + - 'Email Providers': 'email.md' + - 'Search Engines': 'search-engines.md' + - 'Social Networks': 'social-networks.md' + - 'Social News Aggregators': 'social-news-aggregator.md' + - 'VPN Providers': 'vpn.md' + - 'Software': + - 'Calendar/Contacts Sync': 'calendar-contacts.md' + - 'Digital Notebooks': 'notebooks.md' + - 'Email Clients': 'email-clients.md' + - 'Encryption Tools': 'encryption.md' + - 'File Sharing/Sync': 'file-sharing.md' + - 'Metadata Removal Tools': 'metadata-removal-tools.md' + - 'Password Managers': 'passwords.md' + - 'Productivity Tools': 'productivity.md' + - 'Real-Time Communication': 'real-time-communication.md' + - 'Self-Contained Networks': 'self-contained-networks.md' + - 'Video Streaming': 'video-streaming.md' + - 'Blog': + - 'Blog Index': 'blog.md' + - '2021': + - 'December': + - 'Firefox Privacy: 2021 Update': 'blog/2021/12/01/firefox-privacy-2021-update.md' + - 'November': + - 'Virtual Insanity': 'blog/2021/11/01/virtual-insanity.md' + - 'September': + - 'Welcome to Privacy Guides': 'blog/2021/09/14/welcome-to-privacy-guides.md' + - '2019': + - 'November': + - 'Firefox Privacy': 'blog/2019/11/09/firefox-privacy.md' + - 'October': + - 'Choosing a VPN': 'blog/2019/10/30/choosing-a-vpn.md' + - 'Understanding VPNs': 'blog/2019/10/05/understanding-vpns.md' + - 'August': + - 'Self Hosting a Shadowsocks VPN with Outline': 'blog/2019/08/22/self-hosting-shadowsocks-vpn-outline.md' + +theme: + name: material + custom_dir: theme + logo: assets/logo.svg + favicon: assets/img/layout/favicon.ico + icon: + repo: fontawesome/brands/github + font: false + features: + - navigation.tracking + - navigation.tabs + - navigation.tabs.sticky + - navigation.sections + palette: + - media: "(prefers-color-scheme: light)" + scheme: default + accent: deep purple + toggle: + icon: material/toggle-switch-off-outline + name: Switch to dark mode + - media: "(prefers-color-scheme: dark)" + scheme: slate + accent: deep purple + toggle: + icon: material/toggle-switch + name: Switch to light mode + +plugins: + - tags +extra_css: + - stylesheets/extra.css +markdown_extensions: + - admonition + - pymdownx.details + - pymdownx.superfences: + custom_fences: + - name: mermaid + class: mermaid + format: !!python/name:pymdownx.superfences.fence_code_format + - pymdownx.tabbed: + alternate_style: true + - pymdownx.arithmatex: + generic: true + - pymdownx.critic + - pymdownx.caret + - pymdownx.keys + - pymdownx.mark + - pymdownx.tilde + - attr_list + - md_in_html + - meta + - pymdownx.emoji: + emoji_index: !!python/name:materialx.emoji.twemoji + emoji_generator: !!python/name:materialx.emoji.to_svg + options: + custom_icons: + - theme/.icons + - tables + - footnotes + +extra_javascript: + - javascripts/mathjax.js + - https://polyfill.io/v3/polyfill.min.js?features=es6 + - https://cdn.jsdelivr.net/npm/mathjax@3/es5/tex-mml-chtml.js diff --git a/notices.md b/notices.md deleted file mode 100644 index 33733c74..00000000 --- a/notices.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -layout: page -permalink: /terms-and-notices/ -title: "Notices and Disclaimers" -description: "Privacy Guides is provided with good intentions on an "as-is" basis, without warranty, and disclaiming liability for damages." ---- - -Section 1 - -# Legal Disclaimer -Privacy Guides is not a law firm. As such, the Privacy Guides website and contributors are not providing legal advice. The material and recommendations in our website and guides do not constitute legal advice nor does contributing to the website or communicating with Privacy Guides or other contributors about our website create an attorney-client relationship. - -Running this website, like any human endeavor, involves uncertainty and trade-offs. We hope this website helps, but it may include mistakes and can’t address every situation. If you have any questions about your situation, we encourage you to do your own research, seek out other experts, and engage in discussions with the Privacy Guides community. If you have any legal questions, you should consult with your own legal counsel before moving forward. - -Privacy Guides is an open source project contributed to under licenses that include terms that, for the protection of the website and its contributors, make clear that the Privacy Guides project and website is offered "as-is", without warranty, and disclaiming liability for damages resulting from using the website or any recommendations contained within. Privacy Guides does not warrant or make any representations concerning the accuracy, likely results, or reliability of the use of the materials on the website or otherwise relating to such materials on the website or on any third-party sites linked on this site. - -Privacy Guides additionally does not warrant that this website will be constantly available, or available at all. - -Section 2 - -# Licenses -Unless otherwise noted, all content on this website is made freely available under the terms of the [Creative Commons CC0 1.0 Universal](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). - -This does not include third-party code embedded in this repository, or code where a superseding license is otherwise noted. The following are notable examples, but this list may not be all-inclusive: - - * [Sortable](https://github.com/privacyguides/privacyguides.org/blob/main/assets/js/sortable.min.js) is under the MIT license. See: [github.com/HubSpot/sortable/raw/master/LICENSE](https://github.com/HubSpot/sortable/raw/master/LICENSE) - -Portions of this notice itself were adopted from [opensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) on GitHub. That resource and this page itself are released under [CC-BY-4.0](https://github.com/github/opensource.guide/blob/master/LICENSE). - -This means that you can use the human-readable content in this repository for your own project, per the terms outlined in the CC0 1.0 Universal text. You **may not** use the Privacy Guides branding in your own project without express approval from this project. Privacy Guides's brand trademarks include the "Privacy Guides" wordmark and shield logo. - -We believe that the logos and other images in `assets` obtained from third-party providers are either in the public domain or **fair use**. In a nutshell, legal [fair use doctrine](https://en.wikipedia.org/wiki/Fair_use) allows the use of copyrighted image in order to identify the subject matter for purposes of public comment. However, these logos and other images may still be subject to trademark laws in one or more jurisdictions. Before using this content, please ensure that it is used to identify the entity or organization that owns the trademark and that you have the right to use it under the laws which apply in the circumstances of your intended use. *When copying content from this website, you are solely responsible for ensuring that you do not infringe someone else's trademark or copyright.* - -When you contribute to this repository you are doing so under the above licenses. - -Section 3 - -# Acceptable Use -You may not use this website in any way that causes or may cause damage to the website or impairment of the availability or accessibility of Privacy Guides, or in any way which is unlawful, illegal, fraudulent, harmful, or in connection with any unlawful, illegal, fraudulent, or harmful purpose or activity. - -You must not conduct any systematic or automated data collection activities on or in relation to this website without express written consent from Aragon Ventures LLC, including: - * Excessive Automated Scans - * Denial of Service Attacks - * Scraping - * Data Mining - * 'Framing' (IFrames) diff --git a/package-lock.json b/package-lock.json deleted file mode 100644 index 0ef9eddf..00000000 --- a/package-lock.json +++ /dev/null @@ -1,77 +0,0 @@ -{ - "name": "privacyguides", - "version": "1.0.0", - "lockfileVersion": 2, - "requires": true, - "packages": { - "": { - "name": "privacyguides", - "version": "1.0.0", - "license": "ISC", - "dependencies": { - "@fortawesome/fontawesome-pro": "^6.1.1", - "bootstrap": "^5.1.3", - "mathjax": "^3.2.0" - } - }, - "node_modules/@fortawesome/fontawesome-pro": { - "version": "6.1.1", - "resolved": "https://npm.fontawesome.com/@fortawesome/fontawesome-pro/-/6.1.1/fontawesome-pro-6.1.1.tgz", - "integrity": "sha512-0w6GM8sCXNpcBLUz4bx61JvjjoCvfEIz5wBz2KjLNw9qk1F2XiUWuifXobvLbwaA7kqPGBRPo3U8Zw7zyaJ9sA==", - "engines": { - "node": ">=6" - } - }, - "node_modules/@popperjs/core": { - "version": "2.10.2", - "resolved": "https://registry.npmjs.org/@popperjs/core/-/core-2.10.2.tgz", - "integrity": "sha512-IXf3XA7+XyN7CP9gGh/XB0UxVMlvARGEgGXLubFICsUMGz6Q+DU+i4gGlpOxTjKvXjkJDJC8YdqdKkDj9qZHEQ==", - "peer": true, - "funding": { - "type": "opencollective", - "url": "https://opencollective.com/popperjs" - } - }, - "node_modules/bootstrap": { - "version": "5.1.3", - "resolved": "https://registry.npmjs.org/bootstrap/-/bootstrap-5.1.3.tgz", - "integrity": "sha512-fcQztozJ8jToQWXxVuEyXWW+dSo8AiXWKwiSSrKWsRB/Qt+Ewwza+JWoLKiTuQLaEPhdNAJ7+Dosc9DOIqNy7Q==", - "funding": { - "type": "opencollective", - "url": "https://opencollective.com/bootstrap" - }, - "peerDependencies": { - "@popperjs/core": "^2.10.2" - } - }, - "node_modules/mathjax": { - "version": "3.2.0", - "resolved": "https://registry.npmjs.org/mathjax/-/mathjax-3.2.0.tgz", - "integrity": "sha512-PL+rdYRK4Wxif+SQ94zP/L0sv6/oW/1WdQiIx0Jvn9FZaU5W9E6nlIv8liYAXBNPL2Fw/i+o/mZ1212eSzn0Cw==" - } - }, - "dependencies": { - "@fortawesome/fontawesome-pro": { - "version": "6.1.1", - "resolved": "https://npm.fontawesome.com/@fortawesome/fontawesome-pro/-/6.1.1/fontawesome-pro-6.1.1.tgz", - "integrity": "sha512-0w6GM8sCXNpcBLUz4bx61JvjjoCvfEIz5wBz2KjLNw9qk1F2XiUWuifXobvLbwaA7kqPGBRPo3U8Zw7zyaJ9sA==" - }, - "@popperjs/core": { - "version": "2.10.2", - "resolved": "https://registry.npmjs.org/@popperjs/core/-/core-2.10.2.tgz", - "integrity": "sha512-IXf3XA7+XyN7CP9gGh/XB0UxVMlvARGEgGXLubFICsUMGz6Q+DU+i4gGlpOxTjKvXjkJDJC8YdqdKkDj9qZHEQ==", - "peer": true - }, - "bootstrap": { - "version": "5.1.3", - "resolved": "https://registry.npmjs.org/bootstrap/-/bootstrap-5.1.3.tgz", - "integrity": "sha512-fcQztozJ8jToQWXxVuEyXWW+dSo8AiXWKwiSSrKWsRB/Qt+Ewwza+JWoLKiTuQLaEPhdNAJ7+Dosc9DOIqNy7Q==", - "requires": {} - }, - "mathjax": { - "version": "3.2.0", - "resolved": "https://registry.npmjs.org/mathjax/-/mathjax-3.2.0.tgz", - "integrity": "sha512-PL+rdYRK4Wxif+SQ94zP/L0sv6/oW/1WdQiIx0Jvn9FZaU5W9E6nlIv8liYAXBNPL2Fw/i+o/mZ1212eSzn0Cw==" - } - } -} diff --git a/package.json b/package.json deleted file mode 100644 index 9086545c..00000000 --- a/package.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "name": "privacyguides", - "version": "1.0.0", - "description": "", - "main": "index.js", - "scripts": { - "assets:copy:js": "mkdir -p assets/js/vendor && cp node_modules/bootstrap/dist/js/bootstrap.bundle.min.* node_modules/mathjax/es5/tex-svg.js assets/js/vendor/", - "assets:copy:icons": "mkdir -p assets/fonts/vendor/fontawesome && cp -a \"node_modules/@fortawesome/fontawesome-pro/.\" assets/fonts/vendor/fontawesome/", - "assets:install": "npm run assets:copy:js && npm run assets:copy:icons", - "build": "npm run assets:install && bundle exec jekyll build", - "serve": "npm run assets:install && bundle exec jekyll serve --livereload" - }, - "repository": { - "type": "git", - "url": "git+https://github.com/privacyguides/privacyguides.git" - }, - "keywords": [], - "author": "", - "license": "ISC", - "bugs": { - "url": "https://github.com/privacyguides/privacyguides/issues" - }, - "homepage": "https://github.com/privacyguides/privacyguides#readme", - "dependencies": { - "@fortawesome/fontawesome-pro": "^6.1.1", - "bootstrap": "^5.1.3", - "mathjax": "^3.2.0" - } -} diff --git a/privacy-policy.md b/privacy-policy.md deleted file mode 100644 index 61a006d6..00000000 --- a/privacy-policy.md +++ /dev/null @@ -1,116 +0,0 @@ ---- -layout: page -permalink: /privacy-policy/ -title: "Privacy Q&A" -description: "This Privacy Statement explains what information Privacy Guides and its related entities collect about its users, what we do with that information, and how we handle the content you place in our products and services." ---- - -## Who is Privacy Guides? - -Privacy Guides is a community project currently under the stewardship of Aragon Ventures LLC, a Minnesota corporation, which develops this website and a number of privacy-friendly services alongside a number of active contributors. The current list of public team members [can be found on GitHub](https://github.com/orgs/privacyguides/people). Aragon Ventures LLC operates internet services and handles the financials of this project. - -In the future, Privacy Guides will be an independently operated non-profit organization. - -## How does Privacy Guides collect data about me? - -We collect data: - -* When you browse a website, forum, or other Privacy Guides service. -* When you create an account on a Privacy Guides service. -* When you post, send private messages, or otherwise participate on a Privacy Guides service. - -This data will be collected regardless of browser, device, or app used to access our services. We do not buy or otherwise receive data from data brokers. - -## What data do you collect and why? - -### We collect data about visits to our websites. - -When you visit a Privacy Guides website or service, regardless of whether you have an account or not, the website may use cookies, server logs, and other methods to collect the following data: - -* What pages you visit, -* Your anonymized IP address: We anonymize the last 3 bytes of your IP, e.g. 192.xxx.xxx.xxx. - -We use this data to: - -* Optimize websites and services, so that they are quick and easy to use, -* Diagnose and debug technical errors, -* Defend websites and services from abuse and technical attacks. - -This data is processed under our [Legitimate Interest](https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/when-can-we-rely-on-legitimate-interests/) to provide our services to you in a an efficient and secure manner and to ensure the legal compliance and proper administration of our business. - -Raw data such as pages visited, anonymized visitor IPs, and visitor actions will be retained for 60 days. In special circumstances—such as extended investigations regarding a technical attack—we may preserve logged data for longer periods for analysis. We store aggregate statistics about use of the websites and services we host indefinitely, but those statistics do not include data identifiable to you personally. - -### We collect account data. - -On some websites and services we provide, many features may require an account. For example, an account may be required to post and reply to topics on a forum platform. - -To sign up for most accounts, we will collect a name, username, email, and password. In the event a website requires more information than just that data, that will be clearly marked and noted in a separate privacy statement per-site. - -We use your account data to identify you on the website and to create pages specific to you, such as your profile page. We will also use your account data to publish a public profile for you on our services. - -We use your email to: - -* Notify you about posts and other activity on the websites or services. -* Reset your password and help keep your account secure. -* Contact you in special circumstances related to your account. -* Contact you about legal requests, such as DMCA takedown requests. - -On some websites and services you may provide additional information for your account, such as a short biography, avatar, your location, or your birthday. We make that information available to everyone who can access the website or service in question. This information is not required to use any of our services and can be erased at any time. - -We will store your account data as long as your account remains open. After closing an account, we may retain some or all of your account data in the form of backups or archives for up to 90 days. - -## Who is my data shared with? - -When you use services provided by Privacy Guides your data is processed by Aragon Ventures LLC in order to facilitate their hosting obligations. Aragon Ventures LLC may collect and use your data as described in their privacy statement at [https://aragon.ventures/privacy](https://aragon.ventures/privacy/). - -Your account data, posts, and other activities on Privacy Guides services is shared with others as mentioned in the section about account data. - -## Where is my data stored? - -The primary datacenter for Privacy Guides is located in Finland. Some websites, services, or backups may reside in datacenters in multiple jurisdictions, including the United States and the European Union. - -## Is Privacy Guides GDPR compliant? - -We respect privacy rights under [Regulation (EU) 2016/679](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG), the European Union’s General Data Protection Regulation (GDPR). Information that GDPR requires us to give can be found throughout this document. - -## What are my data protection rights? - -We would like to make sure you are fully aware of all of your data protection rights. Every user is entitled to the following: - -* **The right to access** – You have the right to request access to your personal data or copies of your personal data from us. We may charge you a small fee for providing a copy of your data. -* **The right to rectification** – You have the right to request that we correct any information you believe is inaccurate or incomplete. -* **The right to erasure** – You have the right to request that we erase your personal data, under certain conditions. -* **The right to restrict processing** – You have the right to request that we restrict the processing of your personal data, under certain conditions. -* **The right to object to processing** – You have the right to object to our processing of your personal data, under certain conditions. -* **The right to data portability** – You have the right to request that we transfer the data that we have collected to another organization or directly to you under certain conditions. - -## How can I contact the Privacy Guides team about privacy? - -The Privacy Guides team generally does not have access to personal data outside of limited access granted via some moderation panels. Inquiries regarding your personal information should be sent directly to the data controller for these services, Aragon Ventures LLC: - -``` -Jonah Aragon -Services Administrator, Aragon Ventures LLC -privacy@aragon.ventures -``` - -or write to: - -``` -Aragon Ventures LLC -PO Box 201 -Anoka, MN 55303 -United States -``` - -For all other inquiries, you can contact the team via methods described on our [contact page](https://privacyguides.org/contact/). - -For complaints under GDPR more generally, European Union users may lodge complaints with their local data protection supervisory authorities. - -## How can I find out about changes to this document? - -This version of our privacy statement took effect October 9th, 2019. - -We will post any new versions of this statement at [https://privacyguides.org/privacy-policy/](https://privacyguides.org/privacy-policy/). We may change how we announce changes in future versions of this document. In the meantime we may update our contact information at any time without announcing a change. Please refer to [https://privacyguides.org/privacy-policy/](https://privacyguides.org/privacy-policy/) for the latest contact information at any time. - -A full [revision history](https://github.com/privacyguides/privacyguides/commits/main/privacy-policy.md) for this page can be found on GitHub. diff --git a/theme/.icons/pg/f-droid.svg b/theme/.icons/pg/f-droid.svg new file mode 100644 index 00000000..9e992ce3 --- /dev/null +++ b/theme/.icons/pg/f-droid.svg @@ -0,0 +1,5 @@ + + +f-droid + + diff --git a/theme/.icons/pg/i2p.svg b/theme/.icons/pg/i2p.svg new file mode 100644 index 00000000..abe0cbc5 --- /dev/null +++ b/theme/.icons/pg/i2p.svg @@ -0,0 +1,5 @@ + + +i2p + + diff --git a/theme/.icons/pg/ios.svg b/theme/.icons/pg/ios.svg new file mode 100644 index 00000000..e3710b64 --- /dev/null +++ b/theme/.icons/pg/ios.svg @@ -0,0 +1,5 @@ + + +ios + + diff --git a/theme/.icons/pg/linux.svg b/theme/.icons/pg/linux.svg new file mode 100644 index 00000000..258e3dd6 --- /dev/null +++ b/theme/.icons/pg/linux.svg @@ -0,0 +1,5 @@ + + +linux + + diff --git a/theme/.icons/pg/macos.svg b/theme/.icons/pg/macos.svg new file mode 100644 index 00000000..88552900 --- /dev/null +++ b/theme/.icons/pg/macos.svg @@ -0,0 +1,5 @@ + + +macos + + diff --git a/theme/.icons/pg/mix.svg b/theme/.icons/pg/mix.svg new file mode 100644 index 00000000..4188114f --- /dev/null +++ b/theme/.icons/pg/mix.svg @@ -0,0 +1,5 @@ + + +mix + + diff --git a/theme/.icons/pg/netbsd.svg b/theme/.icons/pg/netbsd.svg new file mode 100644 index 00000000..ee7f009d --- /dev/null +++ b/theme/.icons/pg/netbsd.svg @@ -0,0 +1,5 @@ + + +netbsd + + diff --git a/theme/.icons/pg/openbsd.svg b/theme/.icons/pg/openbsd.svg new file mode 100644 index 00000000..4470e617 --- /dev/null +++ b/theme/.icons/pg/openbsd.svg @@ -0,0 +1,5 @@ + + +openbsd + + diff --git a/theme/.icons/pg/qubes-os.svg b/theme/.icons/pg/qubes-os.svg new file mode 100644 index 00000000..b4d975d8 --- /dev/null +++ b/theme/.icons/pg/qubes-os.svg @@ -0,0 +1,5 @@ + + +qubes-os + + diff --git a/theme/.icons/pg/sailfish-os.svg b/theme/.icons/pg/sailfish-os.svg new file mode 100644 index 00000000..d68745ec --- /dev/null +++ b/theme/.icons/pg/sailfish-os.svg @@ -0,0 +1,5 @@ + + +sailfish-os + + diff --git a/theme/.icons/pg/tor.svg b/theme/.icons/pg/tor.svg new file mode 100644 index 00000000..93ccc1d9 --- /dev/null +++ b/theme/.icons/pg/tor.svg @@ -0,0 +1,5 @@ + + +tor + + diff --git a/theme/overrides/blog.css b/theme/overrides/blog.css new file mode 100644 index 00000000..41bd1fd8 --- /dev/null +++ b/theme/overrides/blog.css @@ -0,0 +1,25 @@ +/* Blog hero section */ +.mdx-container { + background-color: white; + padding-top: 1rem; +} + +.mdx-hero { + color: var(--md-primary-bg-color); + margin: 0 0.8rem; + text-align: center; +} +.mdx-hero h1 { + color: currentcolor; + font-weight: 700; + margin-bottom: 1rem; + font-size: 2rem; +} +@media screen and (max-width: 29.9375em) { + .mdx-hero h1 { + font-size: 1.4rem; + } +} +.mdx-hero__content { + padding-top: 1rem; +} diff --git a/theme/overrides/blog.html b/theme/overrides/blog.html new file mode 100644 index 00000000..f858c7af --- /dev/null +++ b/theme/overrides/blog.html @@ -0,0 +1,71 @@ +{% extends "base.html" %} +{% block extrahead %} + +{% endblock %} +{% block hero %} + {{ super() }} + +
+
+
+
+

{{ page.meta.title }}

+ {% if page.meta.excerpt %}

{{ page.meta.excerpt }}

{% endif %} + +
+
+
+
+{% endblock %} +{% block content %} + {{ super() }} + + +

{{ lang.t("meta.comments") }}

+ + + + +{% endblock %} diff --git a/theme/overrides/home.css b/theme/overrides/home.css new file mode 100644 index 00000000..36b074c8 --- /dev/null +++ b/theme/overrides/home.css @@ -0,0 +1,62 @@ +/* Homepage hero section */ +.mdx-container { + background: url("data:image/svg+xml;utf8,") + no-repeat bottom, + linear-gradient(to bottom, var(--md-primary-fg-color), var(--md-primary-fg-color--light) 99%, var(--md-default-bg-color) 99%); + padding-top: 1rem; +} +[data-md-color-scheme="slate"] .mdx-container { + background: url("data:image/svg+xml;utf8,") + no-repeat bottom, + linear-gradient(to bottom, var(--md-primary-fg-color), var(--md-primary-fg-color--dark) 99%, var(--md-default-bg-color) 99%); +} + +.mdx-hero { + color: var(--md-primary-bg-color); + margin: 0 0.8rem; +} +.mdx-hero h1 { + color: currentcolor; + font-weight: 700; + margin-bottom: 1rem; + font-size: 2.6rem; +} +@media screen and (max-width: 29.9375em) { + .mdx-hero h1 { + font-size: 1.4rem; + } +} +.mdx-hero__content { + padding-bottom: 6rem; +} +@media screen and (min-width: 60em) { + .mdx-hero { + align-items: stretch; + display: flex; + } + .mdx-hero__content { + margin-top: 3.5rem; + max-width: 38rem; + padding-bottom: 14vw; + } + .mdx-hero__image { + order: 1; + transform: translateX(4rem); + width: 38rem; + } +} +@media screen and (min-width: 76.25em) { + .mdx-hero__image { + transform: translateX(8rem); + } +} +.mdx-hero .md-button { + color: var(--md-primary-bg-color); +} +.mdx-hero .md-button--primary { + color: var(--md-primary-fg-color)!important; + background-color: var(--md-primary-bg-color); + border-color: var(--md-primary-bg-color); + margin-right: 0.5rem; + margin-top: 0.5rem; +} diff --git a/theme/overrides/home.html b/theme/overrides/home.html new file mode 100644 index 00000000..8e97553e --- /dev/null +++ b/theme/overrides/home.html @@ -0,0 +1,24 @@ +{% extends "base.html" %} +{% block extrahead %} + +{% endblock %} +{% block hero %} + {{ super() }} + +
+
+
+
+

The guide to restoring your online privacy.

+

{{ config.site_description }}

+ + Privacy Tools + + + Read our blog + +
+
+
+
+{% endblock %}