privacyguides
/
privacyguides.org
mirror of https://github.com/privacyguides/privacyguides.org.git
1
0
Fork 0
Code Issues Activity

Tidy links, and lint (#2435) 

Tidies up a number of things:

- Outdated links that redirect
- Dead links
- Remove unnecessary parameters eg "en" and "en-US"
- Shortened amazon, apps.apple.com, reddit links
- Removed trailing /
- Remove www (except for PG assets)
- Optimize unoptimized SVGs and remove xml declarations
- Lint yaml, md files

Co-Authored-By: Daniel Gray <dngray@privacyguides.org>
This commit is contained in:
kimg45 2024-03-13 03:18:28 +00:00 committed by Daniel Gray
parent d8627a1ad2
commit aaa843d272
No known key found for this signature in database
GPG Key ID: 41911F722B0F9AE3
116 changed files with 700 additions and 1311 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
.github/ISSUE_TEMPLATE/1_Content_Correction.yml vendored
View File

@ -26,14 +26,14 @@ body:
- type: markdown
attributes:
value: |
This form is for reporting verifiable issues with our website.
If you simply disagree with an opinion on the website, please open a discussion [on our forum](https://discuss.privacyguides.net/) instead.
This form is for reporting verifiable issues with our website.
If you simply disagree with an opinion on the website, please open a discussion [on our forum](https://discuss.privacyguides.net) instead.
- type: input
attributes:
label: Affected page
description: Please let us know which page the incorrect information can be found on.
placeholder: "https://www.privacyguides.org/en/data-redaction/"
placeholder: "https://www.privacyguides.org/en/data-redaction"
validations:
required: true
@ -62,5 +62,5 @@ body:
options:
- label: I am reporting something that is verifiably incorrect, not a suggestion or opinion.
required: true
- label: I agree to the [Community Code of Conduct](https://www.privacyguides.org/en/code_of_conduct/).
- label: I agree to the [Community Code of Conduct](https://www.privacyguides.org/coc).
required: true

14
.github/ISSUE_TEMPLATE/2_Website_Issues.yml vendored
View File

@ -32,15 +32,15 @@ body:
This is not the place to report an issue with Matrix, Discourse, or our other hosted services.
If you want us to fix inaccurate information on the website, go back and use the content correction form.
If you want to make another suggestion, please [use our discussion forum](https://discuss.privacyguides.net/) instead.
If you want to make another suggestion, please [use our discussion forum](https://discuss.privacyguides.net) instead.
- type: textarea
id: description
attributes:
label: Bug description
description: |
Please give a detailed description of the bug.
Explain how the website does not behave as you would expect it to, and be as specific as possible.
Please give a detailed description of the bug.
Explain how the website does not behave as you would expect it to, and be as specific as possible.
If you have found a workaround or a fix for the problem too, please let us know.
validations:
required: true
@ -53,7 +53,7 @@ body:
Please list all pages where you've noticed this issue, or let us know if it affects every page on the site.
value: |
-
- type: dropdown
id: browser
attributes:
@ -69,7 +69,7 @@ body:
- Safari
- Edge
- Other
- type: dropdown
id: os
attributes:
@ -93,7 +93,7 @@ body:
options:
- label: I am reporting something that is broken on the website, not making a suggestion.
required: true
- label: I agree to the [Community Code of Conduct](https://www.privacyguides.org/en/code_of_conduct/).
- label: I agree to the [Community Code of Conduct](https://www.privacyguides.org/coc).
required: true
- type: markdown

4
.github/PULL_REQUEST_TEMPLATE.md vendored
View File

@ -1,6 +1,6 @@
Changes proposed in this PR:
-
-
<!-- SCROLL TO BOTTOM TO AGREE!:
Please use a descriptive title for your PR, it will be included in our changelog!
@ -17,7 +17,7 @@ Any external relationship can trigger a conflict of interest.
- [ ] I have disclosed any relevant conflicts of interest in my post.
- [ ] I agree to grant Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform, relicense, and distribute my contribution as part of this project.
- [ ] I am the sole author of this work. <!-- Do not check this box if you are not -->
- [ ] I agree to the [Community Code of Conduct](https://www.privacyguides.org/en/code_of_conduct/).
- [ ] I agree to the [Community Code of Conduct](https://www.privacyguides.org/coc).
<!-- What's this? When you submit a PR, you keep the Copyright for the work you
are contributing. We need you to agree to the above terms in order for us to

2
.github/dependabot.yml vendored
View File

@ -41,7 +41,7 @@ updates:
- "jonaharagon"
labels:
- "fix:github_actions"
# Maintain submodules
- package-ecosystem: "gitsubmodule"
directory: "/"

4
.github/workflows/pages.yml vendored
View File

@ -45,7 +45,7 @@ jobs:
fetch-depth: '0'
ssh-key: ${{ secrets.ACTIONS_SSH_KEY }}
submodules: 'true'
- name: Pages setup
uses: actions/configure-pages@v4
@ -54,7 +54,7 @@ jobs:
with:
python-version: '3.8'
cache: 'pipenv'
- name: Cache files
uses: actions/cache@v4.0.1
with:

12
.github/workflows/release.yml vendored
View File

@ -43,7 +43,7 @@ jobs:
- name: Push to production branch
run: |
git push origin HEAD:production
build:
name: Create release packages
runs-on: ubuntu-latest
@ -61,7 +61,7 @@ jobs:
with:
python-version: '3.8'
cache: 'pipenv'
- name: Cache files
uses: actions/cache@v4.0.1
with:
@ -81,7 +81,7 @@ jobs:
run: |
pipenv run mkdocs build --config-file config/mkdocs-offline.yml
pipenv run mkdocs --version
- name: Package website
run: |
tar -czvf offline.tar.gz site
@ -92,13 +92,13 @@ jobs:
with:
name: offline.tar.gz
path: offline.tar.gz
- name: Upload zip file
uses: actions/upload-artifact@v4
with:
name: offline.zip
path: offline.zip
- name: Create ZIM File
uses: addnab/docker-run-action@v3
with:
@ -106,7 +106,7 @@ jobs:
options: -v ${{ github.workspace }}:/data
run: |
zimwriterfs -w index.html -I assets/brand/PNG/Square/pg-yellow.png -l eng -t "Privacy Guides" -d "Your central privacy and security resource to protect yourself online." -c "Privacy Guides" -p "Jonah Aragon" -n "Privacy Guides" -e "https://github.com/privacyguides/privacyguides.org" /data/site /data/privacy_guides.zim
- name: Upload ZIM file
uses: actions/upload-artifact@v4
with:

2
.gitignore vendored
View File

@ -9,7 +9,7 @@ site
# include Bagnard font in social card
# (not available in Google Fonts)
# ridiculous hide-and-seek https://stackoverflow.com/a/72380673
/.cache/*
/.cache/*
!/.cache/plugin
/.cache/plugin/*
!/.cache/plugin/social

20
README.md
View File

@ -1,6 +1,6 @@
<!-- markdownlint-disable MD041 -->
<div align="center">
<a href="https://www.privacyguides.org/">
<a href="https://www.privacyguides.org">
<picture>
<source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/privacyguides/brand/main/SVG/Logo/privacy-guides-logo-dark.svg">
<img alt="Privacy Guides" width="500px" src="https://raw.githubusercontent.com/privacyguides/brand/main/SVG/Logo/privacy-guides-logo.svg">
@ -9,7 +9,7 @@
<p><em>Your central privacy and security resource to protect yourself online.</em></p>
<p><a href="https://discuss.privacyguides.net/">
<p><a href="https://discuss.privacyguides.net">
<img src="https://img.shields.io/discourse/users?label=Join%20our%20forum&logo=discourse&server=https%3A%2F%2Fdiscuss.privacyguides.net&style=social">
</a>
<a href="https://github.com/privacyguides/privacyguides.org/stargazers">
@ -42,17 +42,17 @@
The current list of team members can be found [here](https://www.privacyguides.org/about/#our-team). Additionally, [many people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) have made contributions to the project, and you can too!
*Featured on: [Tweakers](https://tweakers.net/reviews/10568/op-zoek-naar-privacyvriendelijke-tools-niek-de-wilde-van-privacy-guides.html), [The New York Times](https://www.nytimes.com/wirecutter/guides/online-security-social-media-privacy/), and [Wired](https://www.wired.com/story/firefox-mozilla-2022/)*
*Featured on: [Tweakers](https://tweakers.net/reviews/10568/op-zoek-naar-privacyvriendelijke-tools-niek-de-wilde-van-privacy-guides.html), [The New York Times](https://nytimes.com/wirecutter/guides/online-security-social-media-privacy), and [Wired](https://wired.com/story/firefox-mozilla-2022)*
## Contributing
- 💬 [Start a discussion or suggest an idea](https://discuss.privacyguides.net/)
- 💬 [Start a discussion or suggest an idea](https://discuss.privacyguides.net)
- 💖 [Sponsor the project](https://github.com/sponsors/privacyguides)
- 🈴 [Help translate the site](https://crowdin.com/project/privacyguides) [[Matrix chat](https://matrix.to/#/#pg-i18n:aragon.sh)]
- 📝 Edit the site, everything's accessible in this repo
- Browse our [open issues](https://github.com/privacyguides/privacyguides.org/issues) to see what needs to be updated
- View the list of [approved topics waiting for a PR](https://discuss.privacyguides.net/tag/approved)
- Read some writing tips in our [style guide](https://www.privacyguides.org/en/meta/writing-style/)
- Read some writing tips in our [style guide](https://www.privacyguides.org/en/meta/writing-style)
All contributors to the site are listed [here](https://github.com/privacyguides/privacyguides.org/graphs/contributors). If you make a substantial (i.e. copyright eligible) contribution to the project and would like to be formally credited, you are welcome to include your information in the appropriate `authors` section in [`CITATION.cff`](/CITATION.cff) as well, just submit a PR or ask @jonaharagon to make the change.
@ -64,7 +64,7 @@ All contributors to the site are listed [here](https://github.com/privacyguides/
[![Gitea](https://img.shields.io/static/v1?logo=gitea&label=&message=Gitea&color=000&style=for-the-badge)](https://code.privacyguides.dev/privacyguides/privacyguides.org)
[![Forgejo](https://img.shields.io/static/v1?logo=forgejo&label=&message=Forgejo&color=000&style=for-the-badge)](https://git.jonaharagon.net/privacyguides/privacyguides.org)
**Hidden service (Tor/onion):** [xoe4vn5uwdztif6goazfbmogh6wh5jc4up35bqdflu6bkdc5cas5vjqd.onion](http://www.xoe4vn5uwdztif6goazfbmogh6wh5jc4up35bqdflu6bkdc5cas5vjqd.onion/)
**Hidden service (Tor/onion):** [xoe4vn5uwdztif6goazfbmogh6wh5jc4up35bqdflu6bkdc5cas5vjqd.onion](http://www.xoe4vn5uwdztif6goazfbmogh6wh5jc4up35bqdflu6bkdc5cas5vjqd.onion)
## License
@ -76,7 +76,7 @@ Generally speaking, **content** can be found in the [`/docs`](/docs), [`/theme/a
These licenses do not apply to any work where another license is otherwise noted.
**Logos** in the [`/theme/assets/img`](/theme/assets/img) folder may not be original works of Privacy Guides and therefore cannot be (re)licensed by us. We believe that these logos obtained from third-party providers are either in the public domain or **fair use**. In a nutshell, legal [fair use doctrine](https://www.copyright.gov/fair-use/more-info.html) allows the use of copyrighted images in order to identify the subject for purposes of public comment. However, these logos and other images may still be subject to trademark laws in one or more jurisdictions. Before using this content, please ensure that it is used to identify the entity or organization that owns the trademark and that you have the right to use it under the laws which apply in the circumstances of your intended use. *When copying content from this website, you are solely responsible for ensuring that you do not infringe someone else's trademark or copyright.*
**Logos** in the [`/theme/assets/img`](/theme/assets/img) folder may not be original works of Privacy Guides and therefore cannot be (re)licensed by us. We believe that these logos obtained from third-party providers are either in the public domain or **fair use**. In a nutshell, legal [fair use doctrine](https://copyright.gov/fair-use/more-info.html) allows the use of copyrighted images in order to identify the subject for purposes of public comment. However, these logos and other images may still be subject to trademark laws in one or more jurisdictions. Before using this content, please ensure that it is used to identify the entity or organization that owns the trademark and that you have the right to use it under the laws which apply in the circumstances of your intended use. *When copying content from this website, you are solely responsible for ensuring that you do not infringe someone else's trademark or copyright.*
You may comply with our license terms in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. You **may not** use the Privacy Guides branding in your own project without express approval from this project. Privacy Guides's brand trademarks include the "Privacy Guides" wordmark and shield logo.
@ -86,7 +86,7 @@ When you contribute to this repository you are doing so under the above licenses
Committing to this repository requires [signing your commits](https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits) (`git config commit.gpgsign true`) unless you are making edits via the GitHub.com text editor interface. As of August 2022 the preferred signing method is [SSH commit signatures](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification#ssh-commit-signature-verification), but GPG signing is also acceptable. You should add your signing key to your GitHub profile.
This website uses [`mkdocs-material-insiders`](https://squidfunk.github.io/mkdocs-material/insiders/) which offers additional functionality over the open-source `mkdocs-material` project. For obvious reasons we cannot distribute access to the insiders repository. Running this website locally without access to insiders is unsupported. If you are submitting a PR, please ensure the automatic preview generated for your PR looks correct, as that site will be built with the production insiders build.
This website uses [`mkdocs-material-insiders`](https://squidfunk.github.io/mkdocs-material/insiders) which offers additional functionality over the open-source `mkdocs-material` project. For obvious reasons we cannot distribute access to the insiders repository. Running this website locally without access to insiders is unsupported. If you are submitting a PR, please ensure the automatic preview generated for your PR looks correct, as that site will be built with the production insiders build.
**Team members** should clone the repository with `mkdocs-material-insiders` directly. This method is identical to production:
@ -104,7 +104,7 @@ If you commit to `main` with commits signed with your SSH key, you should add yo
### Local Translated Site Builds
1. Install the [Crowdin CLI Tool](https://developer.crowdin.com/cli-tool/) (`brew install crowdin`)
1. Install the [Crowdin CLI Tool](https://developer.crowdin.com/cli-tool) (`brew install crowdin`)
2. Set the `CROWDIN_PERSONAL_TOKEN` environment variable to your Crowdin personal access token
3. Run `crowdin download` in the root of this repo
4. Serve the site locally: `pipenv run mkdocs serve --config-file config/mkdocs.fr.yml` (replacing the config file with any language in [/config](/config))
@ -117,7 +117,7 @@ It is required to create a GitHub release to publish the current site to privacy
1. Create a new tag: `git tag -s v3.X.X -m 'Some message'`
- [View existing tags](https://github.com/privacyguides/privacyguides.org/tags)
- Tag [numbering](https://semver.org/): Increment the MINOR (2nd) number when making significant changes (adding/deleting pages, etc.), increment the PATCH (3rd) number when making minor changes (typos, bug fixes). Probably leave the MAJOR number at 3 until a massive revamp (v1 -> v2 was the Jekyll to MkDocs transition, v2 -> v3 was the introduction of translations).
- Tag [numbering](https://semver.org): Increment the MINOR (2nd) number when making significant changes (adding/deleting pages, etc.), increment the PATCH (3rd) number when making minor changes (typos, bug fixes). Probably leave the MAJOR number at 3 until a massive revamp (v1 -> v2 was the Jekyll to MkDocs transition, v2 -> v3 was the introduction of translations).
- Consider enabling GPG tag signing by default (`git config tag.gpgSign true`) to avoid missing signatures
2. Push the tag to GitHub: `git push --tags`
3. A GitHub Release will be automatically created and deployed to the live site.

4
docs/CODE_OF_CONDUCT.md
View File

@ -16,8 +16,8 @@ What we expect from members of our communities:
2. **Do not abuse our willingness to help**
Our community members are not free tech support. We are happy to help with specific steps for individual's, privacy journey, if they are willing to put in effort. We are not obligated to answer endless, repetitive questions, about general computer problems solvable with a simple internet search. **Do not** become a [help vampire](https://slash7.com/2006/12/22/vampires/).
Our community members are not free tech support. We are happy to help with specific steps for individual's, privacy journey, if they are willing to put in effort. We are not obligated to answer endless, repetitive questions, about general computer problems solvable with a simple internet search. **Do not** become a [help vampire](https://slash7.com/2006/12/22/vampires).
3. **Behave in a positive and constructive manner**
Examples of behavior that contributes to a positive environment for our community include:

8
docs/about/index.md
View File

@ -20,19 +20,19 @@ schema:
**Privacy Guides** is a socially motivated website that provides [information](/kb) for protecting your data security and privacy. Our mission is to inform the public about the value of digital privacy, and global government initiatives which aim to monitor your online activity. We are a non-profit collective operated entirely by volunteer [team members](https://discuss.privacyguides.net/g/team) and contributors. Our website is free of advertisements and not affiliated with any of the listed providers.
[:octicons-home-16:](https://www.privacyguides.org/){ .card-link title=Homepage }
[:octicons-home-16:](https://www.privacyguides.org){ .card-link title=Homepage }
[:octicons-code-16:](https://github.com/privacyguides/privacyguides.org){ .card-link title="Source Code" }
[:octicons-heart-16:](donate.md){ .card-link title=Contribute }
> To find [privacy-focused alternative] apps, check out sites like Good Reports and **Privacy Guides**, which list privacy-focused apps in a variety of categories, notably including email providers (usually on paid plans) that arent run by the big tech companies.
— [New York Times](https://www.nytimes.com/wirecutter/guides/online-security-social-media-privacy/)
— [New York Times](https://nytimes.com/wirecutter/guides/online-security-social-media-privacy)
> If you're looking for a new VPN, you can go to the discount code of just about any podcast. If you are looking for a **good** VPN, you need professional help. The same goes for email clients, browsers, operating systems and password managers. How do you know which of these is the best, most privacy-friendly option? For that there is **Privacy Guides**, a platform on which a number of volunteers search day in, day out for the best privacy-friendly tools to use on the internet.
— [Tweakers.net](https://tweakers.net/reviews/10568/op-zoek-naar-privacyvriendelijke-tools-niek-de-wilde-van-privacy-guides.html) [Translated from Dutch]
Also featured on: [Ars Technica](https://arstechnica.com/gadgets/2022/02/is-firefox-ok/), [Wirecutter](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-windows-pc/) [[2](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-your-mac/)], [NPO Radio 1](https://www.nporadio1.nl/nieuws/binnenland/8eaff3a2-8b29-4f63-9b74-36d2b28b1fe1/ooit-online-eens-wat-doms-geplaatst-ga-jezelf-eens-googlen-en-kijk-dan-wat-je-tegenkomt), and [Wired](https://www.wired.com/story/firefox-mozilla-2022/).
Also featured on: [Ars Technica](https://arstechnica.com/gadgets/2022/02/is-firefox-ok), [Wirecutter](https://nytimes.com/wirecutter/guides/practical-guide-to-securing-windows-pc) [[2](https://nytimes.com/wirecutter/guides/practical-guide-to-securing-your-mac)], [NPO Radio 1](https://nporadio1.nl/nieuws/binnenland/8eaff3a2-8b29-4f63-9b74-36d2b28b1fe1/ooit-online-eens-wat-doms-geplaatst-ga-jezelf-eens-googlen-en-kijk-dan-wat-je-tegenkomt), and [Wired](https://wired.com/story/firefox-mozilla-2022).
## History
@ -40,7 +40,7 @@ Privacy Guides was launched in September 2021 as a continuation of the [defunct]
In 2022, we completed the transition of our main website framework from Jekyll to MkDocs, using the `mkdocs-material` documentation software. This change made open-source contributions to our site significantly easier for outsiders, because instead of needing to know complicated syntax to write posts effectively, contributing is now as easy as writing a standard Markdown document.
We additionally launched our new discussion forum at [discuss.privacyguides.net](https://discuss.privacyguides.net/) as a community platform to share ideas and ask questions about our mission. This augments our existing community on Matrix, and replaced our previous GitHub Discussions platform, decreasing our reliance on proprietary discussion platforms.
We additionally launched our new discussion forum at [discuss.privacyguides.net](https://discuss.privacyguides.net) as a community platform to share ideas and ask questions about our mission. This augments our existing community on Matrix, and replaced our previous GitHub Discussions platform, decreasing our reliance on proprietary discussion platforms.
So far in 2023 we've launched international translations of our website in [French](/fr/), [Hebrew](/he/), and [Dutch](/nl/), with more languages on the way, made possible by our excellent translation team on [Crowdin](https://crowdin.com/project/privacyguides). We plan to continue carrying forward our mission of outreach and education, and finding ways to more clearly highlight the dangers of a lack of privacy awareness in the modern digital age, and the prevalence and harms of security breaches across the technology industry.

4
docs/about/notices.md
View File

@ -29,7 +29,7 @@ This does not include third-party code embedded in this repository, or code wher
This means that you can use the human-readable content in this repository for your own project, per the terms outlined in the Creative Commons Attribution-NoDerivatives 4.0 International Public License text. You may do so in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. You **may not** use the Privacy Guides branding in your own project without express approval from this project. Privacy Guides's brand trademarks include the "Privacy Guides" wordmark and shield logo.
We believe that the logos and other images in `assets` obtained from third-party providers are either in the public domain or **fair use**. In a nutshell, legal [fair use doctrine](https://www.copyright.gov/fair-use/more-info.html) allows the use of copyrighted images in order to identify the subject matter for purposes of public comment. However, these logos and other images may still be subject to trademark laws in one or more jurisdictions. Before using this content, please ensure that it is used to identify the entity or organization that owns the trademark and that you have the right to use it under the laws which apply in the circumstances of your intended use. *When copying content from this website, you are solely responsible for ensuring that you do not infringe someone else's trademark or copyright.*
We believe that the logos and other images in `assets` obtained from third-party providers are either in the public domain or **fair use**. In a nutshell, legal [fair use doctrine](https://copyright.gov/fair-use/more-info.html) allows the use of copyrighted images in order to identify the subject matter for purposes of public comment. However, these logos and other images may still be subject to trademark laws in one or more jurisdictions. Before using this content, please ensure that it is used to identify the entity or organization that owns the trademark and that you have the right to use it under the laws which apply in the circumstances of your intended use. *When copying content from this website, you are solely responsible for ensuring that you do not infringe someone else's trademark or copyright.*
When you contribute to our website you are doing so under the above licenses, and you are granting Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform and distribute your contribution as part of our project.
@ -47,4 +47,4 @@ You must not conduct any systematic or automated data collection activities on o
---
*Portions of this notice itself were adopted from [opensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) on GitHub. That resource and this page itself are released under [CC-BY-4.0](https://creativecommons.org/licenses/by-sa/4.0/).*
*Portions of this notice itself were adopted from [opensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) on GitHub. That resource and this page itself are released under [CC-BY-4.0](https://creativecommons.org/licenses/by-sa/4.0).*

34
docs/about/privacytools.md
View File

@ -13,13 +13,13 @@ After the organizational move was completed, the founder of PrivacyTools returne
PrivacyTools was created in 2015 by "BurungHantu," who wanted to make a privacy information resource - helpful tools following the Snowden revelations. The site grew into a flourishing open-source project with [many contributors](https://github.com/privacytools/privacytools.io/graphs/contributors), some eventually given various organizational responsibilities, such as operating online services like Matrix and Mastodon, managing and reviewing changes to the site on GitHub, finding sponsors for the project, writing blog posts and operating social media outreach platforms like Twitter, etc.
Beginning in 2019, BurungHantu grew more and more distant from the active development of the website and communities, and began delaying payments he was responsible for related to the servers we operated. To avoid having our system administrator pay server costs out of their own pocket, we changed the donation methods listed on the site from BurungHantu's personal PayPal and crypto accounts to a new OpenCollective page on [October 31, 2019](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation/). This had the added benefits of making our finances completely transparent, a value we strongly believe in, and tax-deductible in the United States, because they were being held by the Open Collective Foundation 501(c)3. This change was unanimously agreed upon by the team and went uncontested.
Beginning in 2019, BurungHantu grew more and more distant from the active development of the website and communities, and began delaying payments he was responsible for related to the servers we operated. To avoid having our system administrator pay server costs out of their own pocket, we changed the donation methods listed on the site from BurungHantu's personal PayPal and crypto accounts to a new OpenCollective page on [October 31, 2019](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation). This had the added benefits of making our finances completely transparent, a value we strongly believe in, and tax-deductible in the United States, because they were being held by the Open Collective Foundation 501(c)3. This change was unanimously agreed upon by the team and went uncontested.
## Why We Moved On
In 2020, BurungHantu's absence grew much more noticeable. At one point, we required the domain's nameservers to be changed to nameservers controlled by our system administrator to avoid future disruption, and this change was not completed for over a month after the initial request. He would disappear from the public chat and private team chat rooms on Matrix for months at a time, occasionally popping in to give some small feedback or promise to be more active before disappearing once again.
In October 2020, the PrivacyTools system administrator (Jonah) [left](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over/) the project because of these difficulties, handing control to another long-time contributor. Jonah had been operating nearly every PrivacyTools service and acting as the *de facto* project lead for website development in BurungHantu's absence, thus his departure was a significant change to the organization. At the time, because of these significant organizational changes, BurungHantu promised the remaining team he would return to take control of the project going forward. ==The PrivacyTools team reached out via several communication methods over the following months, but did not receive any response.==
In October 2020, the PrivacyTools system administrator (Jonah) [left](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over) the project because of these difficulties, handing control to another long-time contributor. Jonah had been operating nearly every PrivacyTools service and acting as the *de facto* project lead for website development in BurungHantu's absence, thus his departure was a significant change to the organization. At the time, because of these significant organizational changes, BurungHantu promised the remaining team he would return to take control of the project going forward. ==The PrivacyTools team reached out via several communication methods over the following months, but did not receive any response.==
## Domain Name Reliance
@ -33,25 +33,25 @@ In mid-2021 the PrivacyTools team reached out to Jonah, who agreed to rejoin the
## Community Call to Action
At the end of July 2021, we [informed](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) the PrivacyTools community of our intention to choose a new name and continue the project on a new domain, to be [chosen](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw) on 2nd August 2022. In the end, "Privacy Guides" was selected, with the `privacyguides.org` domain already owned by Jonah for a side-project from 2020 that went undeveloped.
At the end of July 2021, we [informed](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools) the PrivacyTools community of our intention to choose a new name and continue the project on a new domain, to be [chosen](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw) on 2nd August 2022. In the end, "Privacy Guides" was selected, with the `privacyguides.org` domain already owned by Jonah for a side-project from 2020 that went undeveloped.
## Control of r/privacytoolsIO
Simultaneously with the ongoing website issues at privacytools.io, the r/privacytoolsIO moderation team was facing challenges with managing the subreddit. The subreddit had always been operated mostly independently of the website's development, but BurungHantu was the primary moderator of the subreddit as well, and he was the only moderator granted "Full Control" privileges. u/trai_dep was the only active moderator at the time, and [posted](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) a request to Reddit's administrators on June 28, 2021, asking to be granted the primary moderator position and full control privileges, in order to make necessary changes to the Subreddit.
Simultaneously with the ongoing website issues at privacytools.io, the r/privacytoolsIO moderation team was facing challenges with managing the subreddit. The subreddit had always been operated mostly independently of the website's development, but BurungHantu was the primary moderator of the subreddit as well, and he was the only moderator granted "Full Control" privileges. u/trai_dep was the only active moderator at the time, and [posted](https://reddit.com/comments/o9tllh) a request to Reddit's administrators on June 28, 2021, asking to be granted the primary moderator position and full control privileges, in order to make necessary changes to the Subreddit.
Reddit requires that subreddits have active moderators. If the primary moderator is inactive for a lengthy period of time (such as a year) the primary moderation position can be re-appointed to the next moderator in line. For this request to have been granted, BurungHantu had to have been completely absent from all Reddit activity for a long period of time, which was consistent with his behaviors on other platforms.
> If you were removed as moderator from a subreddit through Reddit request it is because your lack of response and lack of activity qualified the subreddit for an r/redditrequest transfer.
>
> r/redditrequest is Reddit's way of making sure communities have active moderators and is part of the [Moderator Code of Conduct](https://www.redditinc.com/policies/moderator-code-of-conduct).
> r/redditrequest is Reddit's way of making sure communities have active moderators and is part of the [Moderator Code of Conduct](https://redditinc.com/policies/moderator-code-of-conduct).
## Beginning the Transition
On September 14th, 2021, we [announced](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) the beginning of our migration to this new domain:
On September 14th, 2021, we [announced](https://blog.privacyguides.org/2021/09/14/welcome-to-privacy-guides) the beginning of our migration to this new domain:
> [...] we found it necessary to make this switch sooner rather than later to ensure people would find out about this transition as soon as possible. This gives us adequate time to transition the domain name, which is currently redirecting to www.privacyguides.org, and it hopefully gives everyone enough time to notice the change, update bookmarks and websites, etc.
This change [entailed:](https://www.reddit.com/r/PrivacyGuides/comments/pnhn4a/rprivacyguides_privacyguidesorg_what_you_need_to/)
This change [entailed:](https://reddit.com/comments/pnhn4a)
- Redirecting www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org).
- Archiving the source code on GitHub to preserve our past work and issue tracker, which we continued to use for months of future development of this site.
@ -62,11 +62,11 @@ Things appeared to be going smoothly, and most of our active community made the
## Following Events
Roughly a week following the transition, BurungHantu returned online for the first time in nearly a year, however nobody on our team was willing to return to PrivacyTools because of his historic unreliability. Rather than apologize for his prolonged absence, he immediately went on the offensive and positioned the transition to Privacy Guides as an attack against him and his project. He subsequently [deleted](https://www.reddit.com/r/privacytoolsIO/comments/pp9yie/comment/hd49wbn) many of these posts when it was pointed out by the community that he had been absent and abandoned the project.
Roughly a week following the transition, BurungHantu returned online for the first time in nearly a year, however nobody on our team was willing to return to PrivacyTools because of his historic unreliability. Rather than apologize for his prolonged absence, he immediately went on the offensive and positioned the transition to Privacy Guides as an attack against him and his project. He subsequently [deleted](https://reddit.com/comments/pp9yie/comment/hd49wbn) many of these posts when it was pointed out by the community that he had been absent and abandoned the project.
At this point, BurungHantu claimed he wanted to continue working on privacytools.io on his own and requested that we remove the redirect from www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). We obliged and requested that he keep the subdomains for Matrix, Mastodon, and PeerTube active for us to run as a public service to our community for at least a few months, in order to allow users on those platforms to easily migrate to other accounts. Due to the federated nature of the services we provided, they were tied to specific domain names making it very difficult to migrate (and in some cases impossible).
Unfortunately, because control of the r/privacytoolsIO subreddit was not returned to BurungHantu at his demand (further information below), those subdomains were [cut off](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) at the beginning of October, ending any migration possibilities to any users still using those services.
Unfortunately, because control of the r/privacytoolsIO subreddit was not returned to BurungHantu at his demand (further information below), those subdomains were [cut off](https://reddit.com/comments/pymthv/comment/hexwrps) at the beginning of October, ending any migration possibilities to any users still using those services.
Following this, BurungHantu made false accusations about Jonah stealing donations from the project. BurungHantu had over a year since the alleged incident occurred, and yet he never made anyone aware of it until after the Privacy Guides migration. BurungHantu has been repeatedly asked for proof and to comment on the reason for his silence by the team [and the community](https://twitter.com/TommyTran732/status/1526153536962281474), and has not done so.
@ -76,11 +76,11 @@ BurungHantu also made a [twitter post](https://twitter.com/privacytoolsIO/status
As of September 25th 2022 we are seeing BurungHantu's overall plans come to fruition on privacytools.io, and this is the very reason we decided to create this explainer page today. The website he is operating appears to be a heavily SEO-optimized version of the site which recommends tools in exchange for financial compensation. Very recently, IVPN and Mullvad, two VPN providers near-universally [recommended](../vpn.md) by the privacy community and notable for their stance against affiliate programs were removed from PrivacyTools. In their place? NordVPN, Surfshark, ExpressVPN, and hide.me; Giant VPN corporations with untrustworthy platforms and business practices, notorious for their aggressive marketing and affiliate programs.
==**PrivacyTools has become exactly the type of site we [warned against](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/) on the PrivacyTools blog in 2019.**== We've tried to keep our distance from PrivacyTools since the transition, but their continued harassment towards our project and now their absurd abuse of the credibility their brand gained over 6 years of open-source contributions is extremely troubling to us. Those of us actually fighting for privacy are not fighting against each other, and are not getting our advice from the highest bidder.
==**PrivacyTools has become exactly the type of site we [warned against](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews) on the PrivacyTools blog in 2019.**== We've tried to keep our distance from PrivacyTools since the transition, but their continued harassment towards our project and now their absurd abuse of the credibility their brand gained over 6 years of open-source contributions is extremely troubling to us. Those of us actually fighting for privacy are not fighting against each other, and are not getting our advice from the highest bidder.
## r/privacytoolsIO Now
After the launch of [r/PrivacyGuides](https://www.reddit.com/r/privacyguides), it was impractical for u/trai_dep to continue moderating both subreddits, and with the community on-board with the transition, r/privacytoolsIO was [made](https://www.reddit.com/r/privacytoolsIO/comments/qk7qrj/a_new_era_why_rptio_is_now_a_restricted_sub/) a restricted sub in a post on November 1st, 2021:
After the launch of [r/PrivacyGuides](https://reddit.com/r/privacyguides), it was impractical for u/trai_dep to continue moderating both subreddits, and with the community on-board with the transition, r/privacytoolsIO was [made](https://reddit.com/comments/qk7qrj) a restricted sub in a post on November 1st, 2021:
> [...] The growth of this Sub was the result of great effort, across several years, by the PrivacyGuides.org team. And by every one of you.
>
@ -88,7 +88,7 @@ After the launch of [r/PrivacyGuides](https://www.reddit.com/r/privacyguides), i
Subreddits do not belong to anybody, and they especially do not belong to brand-holders. They belong to their communities, and the community and its moderators made the decision to support the move to r/PrivacyGuides.
In the months since, BurungHantu has threatened and begged for returning subreddit control to his account in [violation](https://www.reddit.com/r/redditrequest/wiki/top_mod_removal/) of Reddit rules:
In the months since, BurungHantu has threatened and begged for returning subreddit control to his account in [violation](https://reddit.com/r/redditrequest/wiki/top_mod_removal) of Reddit rules:
> Retaliation from any moderator with regards to removal requests is disallowed.
@ -106,12 +106,12 @@ Thus, the funds in OpenCollective belong to Privacy Guides, they were given to o
This topic has been discussed extensively within our communities in various locations, and it seems likely that most people reading this page will already be familiar with the events leading up to the move to Privacy Guides. Some of our previous posts on the matter may have extra detail we omitted here for brevity. They have been linked below for the sake of completion.
- [June 28, 2021 request for control of r/privacytoolsIO](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/)
- [July 27, 2021 announcement of our intentions to move on the PrivacyTools blog, written by the team](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/)
- [Sept 13, 2021 announcement of the beginning of our transition to Privacy Guides on r/privacytoolsIO](https://www.reddit.com/r/privacytoolsIO/comments/pnql46/rprivacyguides_privacyguidesorg_what_you_need_to/)
- [June 28, 2021 request for control of r/privacytoolsIO](https://reddit.com/comments/o9tllh)
- [July 27, 2021 announcement of our intentions to move on the PrivacyTools blog, written by the team](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools)
- [Sept 13, 2021 announcement of the beginning of our transition to Privacy Guides on r/privacytoolsIO](https://reddit.com/pnql46)
- [Sept 17, 2021 announcement on OpenCollective from Jonah](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides)
- [Sept 30, 2021 Twitter thread detailing most of the events now described on this page](https://twitter.com/privacy_guides/status/1443633412800225280)
- [Oct 1, 2021 post by u/dng99 noting subdomain failure](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/)
- [Apr 2, 2022 response by u/dng99 to PrivacyTools' accusatory blog post](https://www.reddit.com/comments/tuo7mm/comment/i35kw5a/)
- [Oct 1, 2021 post by u/dng99 noting subdomain failure](https://reddit.com/comments/pymthv/comment/hexwrps)
- [Apr 2, 2022 response by u/dng99 to PrivacyTools' accusatory blog post](https://reddit.com/comments/tuo7mm/comment/i35kw5a)
- [May 16, 2022 response by @TommyTran732 on Twitter](https://twitter.com/TommyTran732/status/1526153497984618496)
- [Sep 3, 2022 post on Techlore's forum by @dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20)

4
docs/advanced/communication-network-types.md
View File

@ -28,7 +28,7 @@ Some self-hosted messengers allow you to set up your own server. Self-hosting ca
- Can include [restricted control or access](https://drewdevault.com/2018/08/08/Signal.html). This can include things like:
- Being [forbidden from connecting third-party clients](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) to the centralized network that might provide for greater customization or a better experience. Often defined in Terms and Conditions of usage.
- Poor or no documentation for third-party developers.
- The [ownership](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), privacy policy, and operations of the service can change easily when a single entity controls it, potentially compromising the service later on.
- The [ownership](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire), privacy policy, and operations of the service can change easily when a single entity controls it, potentially compromising the service later on.
- Self-hosting requires effort and knowledge of how to set up a service.
## Federated Networks
@ -60,7 +60,7 @@ When self-hosted, members of a federated server can discover and communicate wit
P2P messengers connect to a [distributed network](https://en.wikipedia.org/wiki/Distributed_networking) of nodes to relay a message to the recipient without a third-party server.
Clients (peers) usually find each other through the use of a [distributed computing](https://en.wikipedia.org/wiki/Distributed_computing) network. Examples of this include [Distributed Hash Tables](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT), used by [torrents](https://en.wikipedia.org/wiki/BitTorrent_(protocol)) and [IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) for example. Another approach is proximity based networks, where a connection is established over WiFi or Bluetooth (for example, Briar or the [Scuttlebutt](https://www.scuttlebutt.nz) social network protocol).
Clients (peers) usually find each other through the use of a [distributed computing](https://en.wikipedia.org/wiki/Distributed_computing) network. Examples of this include [Distributed Hash Tables](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT), used by [torrents](https://en.wikipedia.org/wiki/BitTorrent_(protocol)) and [IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) for example. Another approach is proximity based networks, where a connection is established over WiFi or Bluetooth (for example, Briar or the [Scuttlebutt](https://scuttlebutt.nz) social network protocol).
Once a peer has found a route to its contact via any of these methods, a direct connection between them is made. Although messages are usually encrypted, an observer can still deduce the location and identity of the sender and recipient.

14
docs/advanced/dns-overview.md
View File

@ -18,7 +18,7 @@ Below, we discuss and provide a tutorial to prove what an outside observer may s
### Unencrypted DNS
1. Using [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) (part of the [Wireshark](https://en.wikipedia.org/wiki/Wireshark) project) we can monitor and record internet packet flow. This command records packets that meet the rules specified:
1. Using [`tshark`](https://wireshark.org/docs/man-pages/tshark.html) (part of the [Wireshark](https://en.wikipedia.org/wiki/Wireshark) project) we can monitor and record internet packet flow. This command records packets that meet the rules specified:
```bash
tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8
@ -39,7 +39,7 @@ Below, we discuss and provide a tutorial to prove what an outside observer may s
nslookup privacyguides.org 8.8.8.8
```
3. Next, we want to [analyse](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) the results:
3. Next, we want to [analyse](https://wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) the results:
=== "Wireshark"
@ -74,7 +74,7 @@ Encrypted DNS can refer to one of a number of protocols, the most common ones be
### DNS over TLS (DoT)
[**DNS over TLS**](https://en.wikipedia.org/wiki/DNS_over_TLS) is another method for encrypting DNS communication that is defined in [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). Support was first implemented in Android 9, iOS 14, and on Linux in [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) in version 237. Preference in the industry has been moving away from DoT to DoH in recent years, as DoT is a [complex protocol](https://dnscrypt.info/faq/) and has varying compliance to the RFC across the implementations that exist. DoT also operates on a dedicated port 853 which can be blocked easily by restrictive firewalls.
[**DNS over TLS**](https://en.wikipedia.org/wiki/DNS_over_TLS) is another method for encrypting DNS communication that is defined in [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). Support was first implemented in Android 9, iOS 14, and on Linux in [systemd-resolved](https://freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) in version 237. Preference in the industry has been moving away from DoT to DoH in recent years, as DoT is a [complex protocol](https://dnscrypt.info/faq) and has varying compliance to the RFC across the implementations that exist. DoT also operates on a dedicated port 853 which can be blocked easily by restrictive firewalls.
### DNS over HTTPS (DoH)
@ -106,7 +106,7 @@ In this example we will record what happens when we make a DoH request:
wireshark -r /tmp/dns_doh.pcap
```
We can see the [connection establishment](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) and [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) that occurs with any encrypted connection. When looking at the "application data" packets that follow, none of them contain the domain we requested or the IP address returned.
We can see the [connection establishment](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) and [TLS handshake](https://cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake) that occurs with any encrypted connection. When looking at the "application data" packets that follow, none of them contain the domain we requested or the IP address returned.
## Why **shouldn't** I use encrypted DNS?
@ -158,9 +158,9 @@ Server Name Indication is typically used when a IP address hosts many websites.
tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name
```
This means even if we are using "Encrypted DNS" servers, the domain will likely be disclosed through SNI. The [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) protocol brings with it [Encrypted Client Hello](https://blog.cloudflare.com/encrypted-client-hello/), which prevents this kind of leak.
This means even if we are using "Encrypted DNS" servers, the domain will likely be disclosed through SNI. The [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) protocol brings with it [Encrypted Client Hello](https://blog.cloudflare.com/encrypted-client-hello), which prevents this kind of leak.
Governments, in particular [China](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) and [Russia](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), have either already [started blocking](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) it or expressed a desire to do so. Recently, Russia has [started blocking foreign websites](https://github.com/net4people/bbs/issues/108) that use the [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) standard. This is because the [QUIC](https://en.wikipedia.org/wiki/QUIC) protocol that is a part of HTTP/3 requires that `ClientHello` also be encrypted.
Governments, in particular [China](https://zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni) and [Russia](https://zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni), have either already [started blocking](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) it or expressed a desire to do so. Recently, Russia has [started blocking foreign websites](https://github.com/net4people/bbs/issues/108) that use the [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) standard. This is because the [QUIC](https://en.wikipedia.org/wiki/QUIC) protocol that is a part of HTTP/3 requires that `ClientHello` also be encrypted.
### Online Certificate Status Protocol (OCSP)
@ -290,7 +290,7 @@ The DNSSEC signing process is similar to someone signing a legal document with a
DNSSEC implements a hierarchical digital signing policy across all layers of DNS. For example, in the case of a `privacyguides.org` lookup, a root DNS server would sign a key for the `.org` nameserver, and the `.org` nameserver would then sign a key for `privacyguides.org`s authoritative nameserver.
<small>Adapted from [DNS Security Extensions (DNSSEC) overview](https://cloud.google.com/dns/docs/dnssec) by Google and [DNSSEC: An Introduction](https://blog.cloudflare.com/dnssec-an-introduction/) by Cloudflare, both licensed under [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/).</small>
<small>Adapted from [DNS Security Extensions (DNSSEC) overview](https://cloud.google.com/dns/docs/dnssec) by Google and [DNSSEC: An Introduction](https://blog.cloudflare.com/dnssec-an-introduction) by Cloudflare, both licensed under [CC BY 4.0](https://creativecommons.org/licenses/by/4.0).</small>
## What is QNAME minimization?

6
docs/advanced/payments.md
View File

@ -8,7 +8,7 @@ There's a reason data about your buying habits is considered the holy grail of a
For centuries, **cash** has functioned as the primary form of private payment. Cash has excellent privacy properties in most cases, is widely accepted in most countries, and is **fungible**, meaning it is non-unique and completely interchangable.
Cash payment laws vary by country. In the United States, special disclosure is required for cash payments over $10,000 to the IRS on [Form 8300](https://www.irs.gov/businesses/small-businesses-self-employed/form-8300-and-reporting-cash-payments-of-over-10000). The receiving business is required to ID verify the payees name, address, occupation, date of birth, and Social Security Number or other TIN (with some exceptions). Lower limits without ID such as $3,000 or less exist for exchanges and money transmission. Cash also contains serial numbers. These are almost never tracked by merchants, but they can be used by law enforcement in targeted investigations.
Cash payment laws vary by country. In the United States, special disclosure is required for cash payments over $10,000 to the IRS on [Form 8300](https://irs.gov/businesses/small-businesses-self-employed/form-8300-and-reporting-cash-payments-of-over-10000). The receiving business is required to ID verify the payees name, address, occupation, date of birth, and Social Security Number or other TIN (with some exceptions). Lower limits without ID such as $3,000 or less exist for exchanges and money transmission. Cash also contains serial numbers. These are almost never tracked by merchants, but they can be used by law enforcement in targeted investigations.
Despite this, its typically the best option.
@ -59,7 +59,7 @@ There are a number of cryptocurrency projects which purport to provide privacy b
- [Recommended Cryptocurrency :material-arrow-right-drop-circle:](../cryptocurrency.md#coins)
Privacy coins have been subject to increasing scrutiny by government agencies. In 2020, [the IRS published a $625,000 bounty](https://www.forbes.com/sites/kellyphillipserb/2020/09/14/irs-will-pay-up-to-625000-if-you-can-crack-monero-other-privacy-coins/?sh=2e9808a085cc) for tools which can break Bitcoin Lightning Network and/or Monero's transaction privacy. They ultimately [paid two companies](https://sam.gov/opp/5ab94eae1a8d422e88945b64181c6018/view) (Chainalysis and Integra Fec) a combined $1.25 million for tools which purport to do so (it is unknown which cryptocurrency network these tools target). Due to the secrecy surrounding tools like these, ==none of these methods of tracing cryptocurrencies have been independently confirmed.== However, it is quite likely that tools which assist targeted investigations into private coin transactions exist, and that privacy coins only succeed in thwarting mass surveillance.
Privacy coins have been subject to increasing scrutiny by government agencies. In 2020, [the IRS published a $625,000 bounty](https://forbes.com/sites/kellyphillipserb/2020/09/14/irs-will-pay-up-to-625000-if-you-can-crack-monero-other-privacy-coins/?sh=2e9808a085cc) for tools which can break Bitcoin Lightning Network and/or Monero's transaction privacy. They ultimately [paid two companies](https://sam.gov/opp/5ab94eae1a8d422e88945b64181c6018/view) (Chainalysis and Integra Fec) a combined $1.25 million for tools which purport to do so (it is unknown which cryptocurrency network these tools target). Due to the secrecy surrounding tools like these, ==none of these methods of tracing cryptocurrencies have been independently confirmed.== However, it is quite likely that tools which assist targeted investigations into private coin transactions exist, and that privacy coins only succeed in thwarting mass surveillance.
### Other Coins (Bitcoin, Ethereum, etc.)
@ -75,7 +75,7 @@ With cryptocurrency there are two forms of wallets: custodial wallets and noncus
### Acquisition
Acquiring [cryptocurrencies](../cryptocurrency.md) like Monero privately can be difficult. P2P marketplaces like [LocalMonero](https://localmonero.co/), a platform which facilitates trades between people, are one option that can be used. If using an exchange which requires KYC is an acceptable risk for you as long as subsequent transactions can't be traced, a much easier option is to purchase Monero on an exchange like [Kraken](https://kraken.com/), or purchase Bitcoin/Litecoin from a KYC exchange which can then be swapped for Monero. Then, you can withdraw the purchased Monero to your own noncustodial wallet to use privately from that point forward.
Acquiring [cryptocurrencies](../cryptocurrency.md) like Monero privately can be difficult. P2P marketplaces like [LocalMonero](https://localmonero.co), a platform which facilitates trades between people, are one option that can be used. If using an exchange which requires KYC is an acceptable risk for you as long as subsequent transactions can't be traced, a much easier option is to purchase Monero on an exchange like [Kraken](https://kraken.com), or purchase Bitcoin/Litecoin from a KYC exchange which can then be swapped for Monero. Then, you can withdraw the purchased Monero to your own noncustodial wallet to use privately from that point forward.
If you go this route, make sure to purchase Monero at different times and in different amounts than where you will spend it. If you purchase $5000 of Monero at an exchange and make a $5000 purchase in Monero an hour later, those actions could potentially be correlated by an outside observer regardless of which path the Monero took. Staggering purchases and purchasing larger amounts of Monero in advance to later spend on multiple smaller transactions can avoid this pitfall.

6
docs/advanced/tor-overview.md
View File

@ -21,7 +21,7 @@ If you have the ability to access a trusted VPN provider and **any** of the foll
Because we already [generally recommend](../basics/vpn-overview.md) that the vast majority of people use a trusted VPN provider for a variety of reasons, the following recommendation about connecting to Tor via a VPN likely applies to you. <mark>There is no need to disable your VPN before connecting to Tor</mark>, as some online resources would lead you to believe.
Connecting directly to Tor will make your connection stand out to any local network administrators or your ISP. Detecting and correlating this traffic [has been done](https://edition.cnn.com/2013/12/17/justice/massachusetts-harvard-hoax/) in the past by network administrators to identify and deanonymize specific Tor users on their network. On the other hand, connecting to a VPN is almost always less suspicious, because commercial VPN providers are used by everyday consumers for a variety of mundane tasks like bypassing geo-restrictions, even in countries with heavy internet restrictions.
Connecting directly to Tor will make your connection stand out to any local network administrators or your ISP. Detecting and correlating this traffic [has been done](https://edition.cnn.com/2013/12/17/justice/massachusetts-harvard-hoax) in the past by network administrators to identify and deanonymize specific Tor users on their network. On the other hand, connecting to a VPN is almost always less suspicious, because commercial VPN providers are used by everyday consumers for a variety of mundane tasks like bypassing geo-restrictions, even in countries with heavy internet restrictions.
Therefore, you should make an effort to hide your IP address **before** connecting to the Tor network. You can do this by simply connecting to a VPN (through a client installed on your computer) and then accessing [Tor](../tor.md) as normal, through Tor Browser for example. This creates a connection chain like:
@ -72,7 +72,7 @@ As we've alluded to already, Tor is also easily identifiable on the network. Unl
### Tor usage is not undetectable
**Even if you use bridges and pluggable transports,** the Tor Project provides no tools to hide the fact that you are using Tor from your ISP. Even using obfuscated "pluggable transports" or non-public bridges do not hide the fact that you are using a private communications channel. The most popular pluggable transports like obfs4 (which obfuscates your traffic to "look like nothing") and meek (which uses domain fronting to camouflage your traffic) can be [detected](https://www.hackerfactor.com/blog/index.php?/archives/889-Tor-0day-Burning-Bridges.html) with fairly standard traffic analysis techniques. Snowflake has similar issues, and can be [easily detected](https://www.hackerfactor.com/blog/index.php?/archives/944-Tor-0day-Snowflake.html) *before* a Tor connection is even established.
**Even if you use bridges and pluggable transports,** the Tor Project provides no tools to hide the fact that you are using Tor from your ISP. Even using obfuscated "pluggable transports" or non-public bridges do not hide the fact that you are using a private communications channel. The most popular pluggable transports like obfs4 (which obfuscates your traffic to "look like nothing") and meek (which uses domain fronting to camouflage your traffic) can be [detected](https://hackerfactor.com/blog/index.php?/archives/889-Tor-0day-Burning-Bridges.html) with fairly standard traffic analysis techniques. Snowflake has similar issues, and can be [easily detected](https://hackerfactor.com/blog/index.php?/archives/944-Tor-0day-Snowflake.html) *before* a Tor connection is even established.
Pluggable transports other than these three do exist, but typically rely on security through obscurity to evade detection. They aren't impossible to detect, they are just used by so few people that it's not worth the effort building detectors for them. They shouldn't be relied upon if you specifically are being monitored.
@ -109,7 +109,7 @@ The entry node, often called the guard node, is the first node to which your Tor
Unlike the other nodes, the Tor client will randomly select an entry node and stick with it for two to three months to protect you from certain attacks.[^1]
[^1]: The first relay in your circuit is called an "entry guard" or "guard". It is a fast and stable relay that remains the first one in your circuit for 2-3 months in order to protect against a known anonymity-breaking attack. The rest of your circuit changes with every new website you visit, and all together these relays provide the full privacy protections of Tor. For more information on how guard relays work, see this [blog post](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) and [paper](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) on entry guards. ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/))
[^1]: The first relay in your circuit is called an "entry guard" or "guard". It is a fast and stable relay that remains the first one in your circuit for 2-3 months in order to protect against a known anonymity-breaking attack. The rest of your circuit changes with every new website you visit, and all together these relays provide the full privacy protections of Tor. For more information on how guard relays work, see this [blog post](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) and [paper](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) on entry guards. ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2))
### The Middle Node

66
docs/android.md
View File

@ -5,19 +5,19 @@ icon: 'simple/android'
description: You can replace the operating system on your Android phone with these secure and privacy-respecting alternatives.
cover: android.webp
schema:
-
-
"@context": http://schema.org
"@type": WebPage
name: Private Android Operating Systems
url: "./"
-
-
"@context": http://schema.org
"@type": CreativeWork
name: Android
image: /assets/img/android/android.svg
url: https://source.android.com/
sameAs: https://en.wikipedia.org/wiki/Android_(operating_system)
-
-
"@context": http://schema.org
"@type": CreativeWork
name: GrapheneOS
@ -28,7 +28,7 @@ schema:
"@context": http://schema.org
"@type": WebPage
url: "./"
-
-
"@context": http://schema.org
"@type": CreativeWork
name: Divest
@ -39,7 +39,7 @@ schema:
"@context": http://schema.org
"@type": WebPage
url: "./"
-
-
"@context": http://schema.org
"@type": Product
name: Pixel
@ -53,25 +53,25 @@ schema:
author:
"@type": Organization
name: Privacy Guides
-
-
"@context": http://schema.org
"@type": MobileApplication
name: Shelter
applicationCategory: Utilities
operatingSystem: Android
-
-
"@context": http://schema.org
"@type": MobileApplication
name: Auditor
applicationCategory: Utilities
operatingSystem: Android
-
-
"@context": http://schema.org
"@type": MobileApplication
name: Secure Camera
applicationCategory: Utilities
operatingSystem: Android
-
-
"@context": http://schema.org
"@type": MobileApplication
name: Secure PDF Viewer
@ -83,9 +83,9 @@ schema:
The **Android Open Source Project** is an open-source mobile operating system led by Google which powers the majority of the world's mobile devices. Most phones sold with Android are modified to include invasive integrations and apps such as Google Play Services, so you can significantly improve your privacy on your mobile device by replacing your phone's default installation with a version of Android without these invasive features.
[:octicons-home-16:](https://source.android.com/){ .card-link title=Homepage }
[:octicons-home-16:](https://source.android.com){ .card-link title=Homepage }
[:octicons-info-16:](https://source.android.com/docs){ .card-link title=Documentation}
[:octicons-code-16:](https://cs.android.com/android/platform/superproject/){ .card-link title="Source Code" }
[:octicons-code-16:](https://cs.android.com/android/platform/superproject){ .card-link title="Source Code" }
These are the Android operating systems, devices, and apps we recommend to maximize your mobile device's security and privacy. To learn more about Android:
@ -113,7 +113,7 @@ End-of-life devices (such as GrapheneOS or CalyxOS's "extended support" devices)
GrapheneOS provides additional [security hardening](https://en.wikipedia.org/wiki/Hardening_(computing)) and privacy improvements. It has a [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), network and sensor permissions, and various other [security features](https://grapheneos.org/features). GrapheneOS also comes with full firmware updates and signed builds, so verified boot is fully supported.
[:octicons-home-16: Homepage](https://grapheneos.org/){ .md-button .md-button--primary }
[:octicons-home-16: Homepage](https://grapheneos.org){ .md-button .md-button--primary }
[:octicons-eye-16:](https://grapheneos.org/faq#privacy-policy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=Documentation}
[:octicons-code-16:](https://grapheneos.org/source){ .card-link title="Source Code" }
@ -121,11 +121,11 @@ GrapheneOS provides additional [security hardening](https://en.wikipedia.org/wik
</div>
GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), which runs [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) fully sandboxed like any other regular app. This means you can take advantage of most Google Play Services, such as [push notifications](https://firebase.google.com/docs/cloud-messaging/), while giving you full control over their permissions and access, and while containing them to a specific [work profile](os/android-overview.md#work-profile) or [user profile](os/android-overview.md#user-profiles) of your choice.
GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), which runs [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) fully sandboxed like any other regular app. This means you can take advantage of most Google Play Services, such as [push notifications](https://firebase.google.com/docs/cloud-messaging), while giving you full control over their permissions and access, and while containing them to a specific [work profile](os/android-overview.md#work-profile) or [user profile](os/android-overview.md#user-profiles) of your choice.
Google Pixel phones are the only devices that currently meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#device-support).
[Why we recommend GrapheneOS over CalyxOS :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/){ .md-button }
[Why we recommend GrapheneOS over CalyxOS :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos){ .md-button }
### DivestOS
@ -133,7 +133,7 @@ Google Pixel phones are the only devices that currently meet GrapheneOS's [hardw
![DivestOS logo](assets/img/android/divestos.svg){ align=right }
**DivestOS** is a soft-fork of [LineageOS](https://lineageos.org/).
**DivestOS** is a soft-fork of [LineageOS](https://lineageos.org).
DivestOS inherits many [supported devices](https://divestos.org/index.php?page=devices&base=LineageOS) from LineageOS. It has signed builds, making it possible to have [verified boot](https://source.android.com/security/verifiedboot) on some non-Pixel devices.
[:octicons-home-16: Homepage](https://divestos.org){ .md-button .md-button--primary }
@ -145,12 +145,12 @@ DivestOS inherits many [supported devices](https://divestos.org/index.php?page=d
</div>
DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, and a custom [hosts](https://divested.dev/index.php?page=dnsbl) file. Its hardened WebView, [Mulch](https://gitlab.com/divested-mobile/mulch), enables [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) for all architectures and [network state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning), and receives out-of-band updates.
DivestOS also includes kernel patches from GrapheneOS and enables all available kernel security features via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). All kernels newer than version 3.4 include full page [sanitization](https://lwn.net/Articles/334747/) and all ~22 Clang-compiled kernels have [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) enabled.
DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, and a custom [hosts](https://divested.dev/index.php?page=dnsbl) file. Its hardened WebView, [Mulch](https://gitlab.com/divested-mobile/mulch), enables [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) for all architectures and [network state partitioning](https://developer.mozilla.org/docs/Web/Privacy/State_Partitioning), and receives out-of-band updates.
DivestOS also includes kernel patches from GrapheneOS and enables all available kernel security features via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). All kernels newer than version 3.4 include full page [sanitization](https://lwn.net/Articles/334747) and all ~22 Clang-compiled kernels have [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) enabled.
DivestOS implements some system hardening patches originally developed for GrapheneOS. DivestOS 16.0 and higher implements GrapheneOS's [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) and SENSORS permission toggle, [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/#additional-hardening), [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), and partial [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) hardening patchsets. 17.1 and higher features GrapheneOS's per-network full [MAC randomization](https://en.wikipedia.org/wiki/MAC_address#Randomization) option, [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, and automatic reboot/Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features).
DivestOS implements some system hardening patches originally developed for GrapheneOS. DivestOS 16.0 and higher implements GrapheneOS's [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) and SENSORS permission toggle, [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/#additional-hardening), [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), and partial [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) hardening patchsets. 17.1 and higher features GrapheneOS's per-network full [MAC randomization](https://en.wikipedia.org/wiki/MAC_address#Randomization) option, [`ptrace_scope`](https://kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, and automatic reboot/Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features).
DivestOS uses F-Droid as its default app store. We normally [recommend avoiding F-Droid](#f-droid), but doing so on DivestOS isn't viable; the developers update their apps via their own F-Droid repositories ([DivestOS Official](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) and [DivestOS WebView](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2)). We recommend disabling the official F-Droid app and using [F-Droid Basic](https://f-droid.org/en/packages/org.fdroid.basic/) **with the DivestOS repositories enabled** to keep those components up to date. For other apps, our recommended methods of obtaining them still apply.
DivestOS uses F-Droid as its default app store. We normally [recommend avoiding F-Droid](#f-droid), but doing so on DivestOS isn't viable; the developers update their apps via their own F-Droid repositories ([DivestOS Official](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) and [DivestOS WebView](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2)). We recommend disabling the official F-Droid app and using [F-Droid Basic](https://f-droid.org/en/packages/org.fdroid.basic) **with the DivestOS repositories enabled** to keep those components up to date. For other apps, our recommended methods of obtaining them still apply.
<div class="admonition warning" markdown>
<p class="admonition-title">Warning</p>
@ -167,13 +167,13 @@ When purchasing a device, we recommend getting one as new as possible. The softw
Avoid buying phones from mobile network operators. These often have a **locked bootloader** and do not support [OEM unlocking](https://source.android.com/devices/bootloader/locking_unlocking). These phone variants will prevent you from installing any kind of alternative Android distribution.
Be very **careful** about buying second hand phones from online marketplaces. Always check the reputation of the seller. If the device is stolen, there's a possibility of it being entered in the [IMEI database](https://www.gsma.com/get-involved/working-groups/terminal-steering-group/imei-database). There is also a risk involved with you being associated with the activity of the previous owner.
Be very **careful** about buying second hand phones from online marketplaces. Always check the reputation of the seller. If the device is stolen, there's a possibility of it being entered in the [IMEI database](https://gsma.com/get-involved/working-groups/terminal-steering-group/imei-database). There is also a risk involved with you being associated with the activity of the previous owner.
A few more tips regarding Android devices and operating system compatibility:
- Do not buy devices that have reached or are near their end-of-life, additional firmware updates must be provided by the manufacturer.
- Do not buy preloaded LineageOS or /e/ OS phones or any Android phones without proper [Verified Boot](https://source.android.com/security/verifiedboot) support and firmware updates. These devices also have no way for you to check whether they've been tampered with.
- In short, if a device or Android distribution is not listed here, there is probably a good reason. Check out our [forum](https://discuss.privacyguides.net/) to find details!
- In short, if a device or Android distribution is not listed here, there is probably a good reason. Check out our [forum](https://discuss.privacyguides.net) to find details!
### Google Pixel
@ -195,7 +195,7 @@ Secure Elements like the Titan M2 are more limited than the processor's Trusted
Google Pixel phones use a TEE OS called Trusty which is [open source](https://source.android.com/security/trusty#whyTrusty), unlike many other phones.
The installation of GrapheneOS on a Pixel phone is easy with their [web installer](https://grapheneos.org/install/web). If you don't feel comfortable doing it yourself and are willing to spend a bit of extra money, check out the [NitroPhone](https://shop.nitrokey.com/shop) as they come preloaded with GrapheneOS from the reputable [Nitrokey](https://www.nitrokey.com/about) company.
The installation of GrapheneOS on a Pixel phone is easy with their [web installer](https://grapheneos.org/install/web). If you don't feel comfortable doing it yourself and are willing to spend a bit of extra money, check out the [NitroPhone](https://shop.nitrokey.com/shop) as they come preloaded with GrapheneOS from the reputable [Nitrokey](https://nitrokey.com/about) company.
A few more tips for purchasing a Google Pixel:
@ -221,14 +221,14 @@ Shelter supports blocking contact search cross profiles and sharing files across
[:octicons-repo-16: Repository](https://gitea.angry.im/PeterCxy/Shelter#shelter){ .md-button .md-button--primary }
[:octicons-code-16:](https://gitea.angry.im/PeterCxy/Shelter){ .card-link title="Source Code" }
[:octicons-heart-16:](https://www.patreon.com/PeterCxy){ .card-link title=Contribute }
[:octicons-heart-16:](https://patreon.com/PeterCxy){ .card-link title=Contribute }
</div>
<div class="admonition warning" markdown>
<p class="admonition-title">Warning</p>
Shelter is recommended over [Insular](https://secure-system.gitlab.io/Insular/) and [Island](https://github.com/oasisfeng/island) as it supports [contact search blocking](https://secure-system.gitlab.io/Insular/faq.html).
Shelter is recommended over [Insular](https://secure-system.gitlab.io/Insular) and [Island](https://github.com/oasisfeng/island) as it supports [contact search blocking](https://secure-system.gitlab.io/Insular/faq.html).
When using Shelter, you are placing complete trust in its developer, as Shelter acts as a [Device Admin](https://developer.android.com/guide/topics/admin/device-admin) to create the Work Profile, and it has extensive access to the data stored within the Work Profile.
@ -323,11 +323,11 @@ The image orientation metadata is not deleted. If you enable location (in Secure
</div>
Obtainium allows you to download APK installer files from a wide variety of sources, and it is up to you to ensure those sources and apps are legitimate. For example, using Obtainium to install Signal from [Signal's APK landing page](https://signal.org/android/apk/) should be fine, but installing from third-party APK repositories like Aptoide or APKPure may pose additional risks. The risk of installing a malicious *update* is lower, because Android itself verifies that all app updates are signed by the same developer as the existing app on your phone before installing them.
Obtainium allows you to download APK installer files from a wide variety of sources, and it is up to you to ensure those sources and apps are legitimate. For example, using Obtainium to install Signal from [Signal's APK landing page](https://signal.org/android/apk) should be fine, but installing from third-party APK repositories like Aptoide or APKPure may pose additional risks. The risk of installing a malicious *update* is lower, because Android itself verifies that all app updates are signed by the same developer as the existing app on your phone before installing them.
### GrapheneOS App Store
GrapheneOS's app store is available on [GitHub](https://github.com/GrapheneOS/Apps/releases). It supports Android 12 and above and is capable of updating itself. The app store has standalone applications built by the GrapheneOS project such as the [Auditor](https://attestation.app/), [Camera](https://github.com/GrapheneOS/Camera), and [PDF Viewer](https://github.com/GrapheneOS/PdfViewer). If you are looking for these applications, we highly recommend that you get them from GrapheneOS's app store instead of the Play Store, as the apps on their store are signed by the GrapheneOS's project own signature that Google does not have access to.
GrapheneOS's app store is available on [GitHub](https://github.com/GrapheneOS/Apps/releases). It supports Android 12 and above and is capable of updating itself. The app store has standalone applications built by the GrapheneOS project such as the [Auditor](https://attestation.app), [Camera](https://github.com/GrapheneOS/Camera), and [PDF Viewer](https://github.com/GrapheneOS/PdfViewer). If you are looking for these applications, we highly recommend that you get them from GrapheneOS's app store instead of the Play Store, as the apps on their store are signed by the GrapheneOS's project own signature that Google does not have access to.
### Aurora Store
@ -339,7 +339,7 @@ The Google Play Store requires a Google account to login which is not great for
**Aurora Store** is a Google Play Store client which does not require a Google Account, Google Play Services, or microG to download apps.
[:octicons-home-16: Homepage](https://auroraoss.com/){ .md-button .md-button--primary }
[:octicons-home-16: Homepage](https://auroraoss.com){ .md-button .md-button--primary }
[:octicons-eye-16:](https://gitlab.com/AuroraOSS/AuroraStore/-/blob/master/POLICY.md){ .card-link title="Privacy Policy" }
[:octicons-code-16:](https://gitlab.com/AuroraOSS/AuroraStore){ .card-link title="Source Code" }
@ -376,7 +376,7 @@ On GitLab, using [Aurora Store](#aurora-store) as an example, you would navigate
If you download APK files to install manually, you can verify their signature with the [`apksigner`](https://developer.android.com/studio/command-line/apksigner) tool, which is a part of Android [build-tools](https://developer.android.com/studio/releases/build-tools).
1. Install [Java JDK](https://www.oracle.com/java/technologies/downloads/).
1. Install [Java JDK](https://oracle.com/java/technologies/downloads).
2. Download the [Android Studio command line tools](https://developer.android.com/studio#command-tools).
@ -394,7 +394,7 @@ If you download APK files to install manually, you can verify their signature wi
./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk
```
5. The resulting hashes can then be compared with another source. Some developers such as Signal [show the fingerprints](https://signal.org/android/apk/) on their website.
5. The resulting hashes can then be compared with another source. Some developers such as Signal [show the fingerprints](https://signal.org/android/apk) on their website.
```bash
Signer #1 certificate DN: CN=GrapheneOS
@ -407,18 +407,18 @@ If you download APK files to install manually, you can verify their signature wi
![F-Droid logo](assets/img/android/f-droid.svg){ align=right width=120px }
==We only recommend F-Droid as a way to obtain apps which cannot be obtained via the means above.== F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third-party repositories and not be confined to Google's walled garden has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications and is dedicated to free and open-source software. However, there are some security-related downsides to how F-Droid builds, signs, and delivers packages:
==We only recommend F-Droid as a way to obtain apps which cannot be obtained via the means above.== F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third-party repositories and not be confined to Google's walled garden has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds) for some applications and is dedicated to free and open-source software. However, there are some security-related downsides to how F-Droid builds, signs, and delivers packages:
Due to their process of building apps, apps in the official F-Droid repository often fall behind on updates. F-Droid maintainers also reuse package IDs while signing apps with their own keys, which is not ideal as it gives the F-Droid team ultimate trust. Additionally, the requirements for an app to be included in the official F-Droid repo are less strict than other app stores like Google Play, meaning that F-Droid tends to host a lot more apps which are older, unmaintained, or otherwise no longer meet [modern security standards](https://developer.android.com/google/play/requirements/target-sdk).
Other popular third-party repositories for F-Droid such as [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) alleviate some of these concerns. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers' own repositories. However, it is not something that we can fully recommend, as apps are typically [removed](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) from that repository if they are later added to the main F-Droid repository. While that makes sense (since the goal of that particular repository is to host apps before they're accepted into the main F-Droid repository), it can leave you with installed apps which no longer receive updates.
Other popular third-party repositories for F-Droid such as [IzzyOnDroid](https://apt.izzysoft.de/fdroid) alleviate some of these concerns. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers' own repositories. However, it is not something that we can fully recommend, as apps are typically [removed](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) from that repository if they are later added to the main F-Droid repository. While that makes sense (since the goal of that particular repository is to host apps before they're accepted into the main F-Droid repository), it can leave you with installed apps which no longer receive updates.
That said, the [F-Droid](https://f-droid.org/en/packages/) and [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) repositories are home to countless apps, so they can be a useful tool to search for and discover open-source apps that you can then download through other means such as the Play Store, Aurora Store, or by getting the APK directly from the developer. You should use your best judgement when looking for new apps via this method, and keep an eye on how frequently the app is updated. Outdated apps may rely on unsupported libraries, among other things, posing a potential security risk.
That said, the [F-Droid](https://f-droid.org/en/packages) and [IzzyOnDroid](https://apt.izzysoft.de/fdroid) repositories are home to countless apps, so they can be a useful tool to search for and discover open-source apps that you can then download through other means such as the Play Store, Aurora Store, or by getting the APK directly from the developer. You should use your best judgement when looking for new apps via this method, and keep an eye on how frequently the app is updated. Outdated apps may rely on unsupported libraries, among other things, posing a potential security risk.
<div class="admonition note" markdown>
<p class="admonition-title">F-Droid Basic</p>
In some rare cases, the developer of an app will only distribute it through F-Droid ([Gadgetbridge](https://gadgetbridge.org/) is one example of this). If you really need an app like that, we recommend using the newer [F-Droid Basic](https://f-droid.org/en/packages/org.fdroid.basic/) client instead of the original F-Droid app to obtain it. F-Droid Basic can do unattended updates without privileged extension or root, and has a reduced feature set (limiting attack surface).
In some rare cases, the developer of an app will only distribute it through F-Droid ([Gadgetbridge](https://gadgetbridge.org) is one example of this). If you really need an app like that, we recommend using the newer [F-Droid Basic](https://f-droid.org/en/packages/org.fdroid.basic) client instead of the original F-Droid app to obtain it. F-Droid Basic can do unattended updates without privileged extension or root, and has a reduced feature set (limiting attack surface).
</div>

3
docs/assets/img/how-tor-works/tor-encryption-dark.svg
View File

File diff suppressed because one or more lines are too long
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 16 KiB

After

Width:  |  Height:  |  Size: 16 KiB

3
docs/assets/img/how-tor-works/tor-encryption.svg
View File

File diff suppressed because one or more lines are too long
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 16 KiB

After

Width:  |  Height:  |  Size: 16 KiB

3
docs/assets/img/how-tor-works/tor-path-dark.svg
View File

File diff suppressed because one or more lines are too long
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 14 KiB

After

Width:  |  Height:  |  Size: 14 KiB

226
docs/assets/img/how-tor-works/tor-path-hidden-service-dark.svg
View File

File diff suppressed because one or more lines are too long
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 35 KiB

After

Width:  |  Height:  |  Size: 23 KiB

226
docs/assets/img/how-tor-works/tor-path-hidden-service.svg
View File

File diff suppressed because one or more lines are too long
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 34 KiB

After

Width:  |  Height:  |  Size: 22 KiB

1
docs/assets/img/how-tor-works/tor-path.svg
View File

File diff suppressed because one or more lines are too long
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 14 KiB

After

Width:  |  Height:  |  Size: 14 KiB

16
docs/basics/account-deletion.md
View File

@ -3,26 +3,26 @@ title: "Account Deletion"
icon: 'material/account-remove'
description: It's easy to accumulate a large number of internet accounts, here are some tips on how to prune your collection.
---
Over time, it can be easy to accumulate a number of online accounts, many of which you may no longer use. Deleting these unused accounts is an important step in reclaiming your privacy, as dormant accounts are vulnerable to data breaches. A data breach is when a service's security is compromised and protected information is viewed, transmitted, or stolen by unauthorized actors. Data breaches are unfortunately all [too common](https://haveibeenpwned.com/PwnedWebsites) these days, and so practicing good digital hygiene is the best way to minimize the impact they have on your life. The goal of this guide then is to help navigate you through the irksome process of account deletion, often made difficult by [deceptive design](https://www.deceptive.design/), for the betterment of your online presence.
Over time, it can be easy to accumulate a number of online accounts, many of which you may no longer use. Deleting these unused accounts is an important step in reclaiming your privacy, as dormant accounts are vulnerable to data breaches. A data breach is when a service's security is compromised and protected information is viewed, transmitted, or stolen by unauthorized actors. Data breaches are unfortunately all [too common](https://haveibeenpwned.com/PwnedWebsites) these days, and so practicing good digital hygiene is the best way to minimize the impact they have on your life. The goal of this guide then is to help navigate you through the irksome process of account deletion, often made difficult by [deceptive design](https://deceptive.design), for the betterment of your online presence.
## Finding Old Accounts
### Password Manager
If you have a password manager that you've used for your entire digital life, this part will be very easy. Oftentimes, they include built-in functionality for detecting if your credentials were exposed in a data breach—such as Bitwarden's [Data Breach Report](https://bitwarden.com/blog/have-you-been-pwned/).
If you have a password manager that you've used for your entire digital life, this part will be very easy. Oftentimes, they include built-in functionality for detecting if your credentials were exposed in a data breach—such as Bitwarden's [Data Breach Report](https://bitwarden.com/blog/have-you-been-pwned).
<figure markdown>
![Bitwarden's Data Breach Report feature](../assets/img/account-deletion/exposed_passwords.png)
</figure>
Even if you haven't explicitly used a password manager before, there's a chance you've used the one in your browser or your phone without even realizing it. For example: [Firefox Password Manager](https://support.mozilla.org/kb/password-manager-remember-delete-edit-logins), [Google Password Manager](https://passwords.google.com/intro)
and [Edge Password Manager](https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336).
and [Edge Password Manager](https://support.microsoft.com/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336).
Desktop platforms also often have a password manager which may help you recover passwords you've forgotten about:
- Windows [Credential Manager](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0)
- macOS [Passwords](https://support.apple.com/en-us/HT211145)
- iOS [Passwords](https://support.apple.com/en-us/HT211146)
- Windows [Credential Manager](https://support.microsoft.com/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0)
- macOS [Passwords](https://support.apple.com/HT211145)
- iOS [Passwords](https://support.apple.com/HT211146)
- Linux, Gnome Keyring, which can be accessed through [Seahorse](https://wiki.gnome.org/Apps/Seahorse) or [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager)
### Email
@ -39,7 +39,7 @@ When attempting to regain access, if the site returns an error message saying th
### GDPR (EEA residents only)
Residents of the EEA have additional rights regarding data erasure specified in [Article 17](https://www.gdpr.org/regulation/article-17.html) of the GDPR. If it's applicable to you, read the privacy policy for any given service to find information on how to exercise your right to erasure. Reading the privacy policy can prove important, as some services have a "Delete Account" option that only disables your account and for real deletion you have to take additional action. Sometimes actual deletion may involve filling out surveys, emailing the data protection officer of the service or even proving your residence in the EEA. If you plan to go this way, do **not** overwrite account information—your identity as an EEA resident may be required. Note that the location of the service does not matter; GDPR applies to anyone serving European users. If the service does not respect your right to erasure, you can contact your national [Data Protection Authority](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) and you may be entitled to monetary compensation.
Residents of the EEA have additional rights regarding data erasure specified in [Article 17](https://gdpr.org/regulation/article-17.html) of the GDPR. If it's applicable to you, read the privacy policy for any given service to find information on how to exercise your right to erasure. Reading the privacy policy can prove important, as some services have a "Delete Account" option that only disables your account and for real deletion you have to take additional action. Sometimes actual deletion may involve filling out surveys, emailing the data protection officer of the service or even proving your residence in the EEA. If you plan to go this way, do **not** overwrite account information—your identity as an EEA resident may be required. Note that the location of the service does not matter; GDPR applies to anyone serving European users. If the service does not respect your right to erasure, you can contact your national [Data Protection Authority](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) and you may be entitled to monetary compensation.
### Overwriting Account information
@ -59,4 +59,4 @@ Even when you are able to delete an account, there is no guarantee that all your
## Avoid New Accounts
As the old saying goes, "an ounce of prevention is worth a pound of cure." Whenever you feel tempted to sign up for a new account, ask yourself, "Do I really need this? Can I accomplish what I need to without an account?" It can often be much harder to delete an account than to create one. And even after deleting or changing the info on your account, there might be a cached version from a third-party—like the [Internet Archive](https://archive.org/). Avoid the temptation when you're able to—your future self will thank you!
As the old saying goes, "an ounce of prevention is worth a pound of cure." Whenever you feel tempted to sign up for a new account, ask yourself, "Do I really need this? Can I accomplish what I need to without an account?" It can often be much harder to delete an account than to create one. And even after deleting or changing the info on your account, there might be a cached version from a third-party—like the [Internet Archive](https://archive.org). Avoid the temptation when you're able to—your future self will thank you!

12
docs/basics/common-misconceptions.md
View File

@ -3,32 +3,32 @@ title: "Common Misconceptions"
icon: 'material/robot-confused'
description: Privacy isn't a straightforward topic, and it's easy to get caught up in marketing claims and other disinformation.
schema:
-
-
"@context": https://schema.org
"@type": FAQPage
mainEntity:
-
-
"@type": Question
name: Is open-source software inherently secure?
acceptedAnswer:
"@type": Answer
text: |
Whether the source code is available and how software is licensed does not inherently affect its security in any way. Open-source software has the potential to be more secure than proprietary software, but there is absolutely no guarantee this is the case. When you evaluate software, you should look at the reputation and security of each tool on an individual basis.
-
-
"@type": Question
name: Can shifting trust to another provider increase privacy?
acceptedAnswer:
"@type": Answer
text: |
We talk about "shifting trust" a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP specifically, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties.
-
-
"@type": Question
name: Are privacy-focused solutions inherently trustworthy?
acceptedAnswer:
"@type": Answer
text: |
Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like Cryptomator) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider.
-
-
"@type": Question
name: How complicated should my threat model be?
acceptedAnswer:
@ -88,7 +88,7 @@ When shopping online, the use of a [parcel locker](https://en.wikipedia.org/wiki
2. **Unknown identity** - An unknown identity could be a stable pseudonym that you regularly use. It is not anonymous because it doesn't change. If you're part of an online community, you may wish to retain a persona that others know. This pseudonym isn't anonymous because—if monitored for long enough—details about the owner can reveal further information, such as the way they write, their general knowledge about topics of interest, etc.
You may wish to use a VPN for this, to mask your IP address. Financial transactions are more difficult to mask: You could consider using anonymous cryptocurrencies, such as [Monero](https://www.getmonero.org/). Employing altcoin shifting may also help to disguise where your currency originated. Typically, exchanges require KYC (know your customer) to be completed before they'll allow you to exchange fiat currency into any kind of cryptocurrency. Local meet-up options may also be a solution; however, those are often more expensive and sometimes also require KYC.
You may wish to use a VPN for this, to mask your IP address. Financial transactions are more difficult to mask: You could consider using anonymous cryptocurrencies, such as [Monero](https://getmonero.org). Employing altcoin shifting may also help to disguise where your currency originated. Typically, exchanges require KYC (know your customer) to be completed before they'll allow you to exchange fiat currency into any kind of cryptocurrency. Local meet-up options may also be a solution; however, those are often more expensive and sometimes also require KYC.
3. **Anonymous identity** - Even with experience, anonymous identities are difficult to maintain over long periods of time. They should be short-term and short-lived identities which are rotated regularly.

12
docs/basics/common-threats.md
View File

@ -55,7 +55,7 @@ By design, **web browsers**, **email clients**, and **office applications** typi
</div>
If you are concerned about **physical attacks** you should use an operating system with a secure verified boot implementation, such as Android, iOS, macOS, or [Windows (with TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process). You should also make sure that your drive is encrypted, and that the operating system uses a TPM or Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) or [Element](https://developers.google.com/android/security/android-ready-se) to rate limit attempts to enter the encryption passphrase. You should avoid sharing your computer with people you don't trust, because most desktop operating systems don't encrypt data separately per-user.
If you are concerned about **physical attacks** you should use an operating system with a secure verified boot implementation, such as Android, iOS, macOS, or [Windows (with TPM)](https://learn.microsoft.com/windows/security/information-protection/secure-the-windows-10-boot-process). You should also make sure that your drive is encrypted, and that the operating system uses a TPM or Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) or [Element](https://developers.google.com/android/security/android-ready-se) to rate limit attempts to enter the encryption passphrase. You should avoid sharing your computer with people you don't trust, because most desktop operating systems don't encrypt data separately per-user.
## Privacy From Service Providers
@ -89,16 +89,16 @@ Mass surveillance is the intricate effort to monitor the "behavior, many activit
<div class="admonition abstract" markdown>
<p class="admonition-title">Atlas of Surveillance</p>
If you want to learn more about surveillance methods and how they're implemented in your city you can also take a look at the [Atlas of Surveillance](https://atlasofsurveillance.org/) by the [Electronic Frontier Foundation](https://www.eff.org/).
If you want to learn more about surveillance methods and how they're implemented in your city you can also take a look at the [Atlas of Surveillance](https://atlasofsurveillance.org) by the [Electronic Frontier Foundation](https://eff.org).
In France you can take a look at the [Technopolice website](https://technopolice.fr/villes/) maintained by the non-profit association La Quadrature du Net.
In France you can take a look at the [Technopolice website](https://technopolice.fr/villes) maintained by the non-profit association La Quadrature du Net.
</div>
Governments often justify mass surveillance programs as necessary means to combat terrorism and prevent crime. However, breaching human rights, it's most often used to disproportionately target minority groups and political dissidents, among others.
<div class="admonition quote" markdown>
<p class="admonition-title">ACLU: <em><a href="https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward">The Privacy Lesson of 9/11: Mass Surveillance is Not the Way Forward</a></em></p>
<p class="admonition-title">ACLU: <em><a href="https://aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward">The Privacy Lesson of 9/11: Mass Surveillance is Not the Way Forward</a></em></p>
In the face of [Edward Snowden's disclosures of government programs such as [PRISM](https://en.wikipedia.org/wiki/PRISM) and [Upstream](https://en.wikipedia.org/wiki/Upstream_collection)], intelligence officials also admitted that the NSA had for years been secretly collecting records about virtually every Americans phone calls — whos calling whom, when those calls are made, and how long they last. This kind of information, when amassed by the NSA day after day, can reveal incredibly sensitive details about peoples lives and associations, such as whether they have called a pastor, an abortion provider, an addiction counselor, or a suicide hotline.
@ -144,7 +144,7 @@ If you've already submitted your real information to sites which shouldn't have
Censorship online can be carried out (to varying degrees) by actors including totalitarian governments, network administrators, and service providers. These efforts to control communication and restrict access to information will always be incompatible with the human right to Freedom of Expression.[^5]
Censorship on corporate platforms is increasingly common, as platforms like Twitter and Facebook give in to public demand, market pressures, and pressures from government agencies. Government pressures can be covert requests to businesses, such as the White House [requesting the takedown](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) of a provocative YouTube video, or overt, such as the Chinese government requiring companies to adhere to a strict regime of censorship.
Censorship on corporate platforms is increasingly common, as platforms like Twitter and Facebook give in to public demand, market pressures, and pressures from government agencies. Government pressures can be covert requests to businesses, such as the White House [requesting the takedown](https://nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) of a provocative YouTube video, or overt, such as the Chinese government requiring companies to adhere to a strict regime of censorship.
People concerned with the threat of censorship can use technologies like [Tor](../advanced/tor-overview.md) to circumvent it, and support censorship-resistant communication platforms like [Matrix](../real-time-communication.md#element), which doesn't have a centralized account authority that can close accounts arbitrarily.
@ -162,5 +162,5 @@ You must always consider the risks of trying to bypass censorship, the potential
[^1]: Wikipedia: [*Mass Surveillance*](https://en.wikipedia.org/wiki/Mass_surveillance) and [*Surveillance*](https://en.wikipedia.org/wiki/Surveillance).
[^2]: United States Privacy and Civil Liberties Oversight Board: [*Report on the Telephone Records Program Conducted under Section 215*](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf)
[^3]: Wikipedia: [*Surveillance capitalism*](https://en.wikipedia.org/wiki/Surveillance_capitalism)
[^4]: "[Enumerating badness](https://www.ranum.com/security/computer_security/editorials/dumb/)" (or, "listing all the bad things that we know about"), as many content blockers and antivirus programs do, fails to adequately protect you from new and unknown threats because they have not yet been added to the filter list. You should also employ other mitigation techniques.
[^4]: "[Enumerating badness](https://ranum.com/security/computer_security/editorials/dumb)" (or, "listing all the bad things that we know about"), as many content blockers and antivirus programs do, fails to adequately protect you from new and unknown threats because they have not yet been added to the filter list. You should also employ other mitigation techniques.
[^5]: United Nations: [*Universal Declaration of Human Rights*](https://www.un.org/en/about-us/universal-declaration-of-human-rights).

6
docs/basics/email-security.md
View File

@ -13,7 +13,7 @@ As a result, email is best used for receiving transactional emails (like notific
The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org).
There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates). It has support in [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) and [Outlook for Web or Exchange Server 2016, 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480).
There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates). It has support in [Google Workplace](https://support.google.com/a/topic/9061730) and [Outlook for Web or Exchange Server 2016, 2019](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480).
Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible.
@ -23,7 +23,7 @@ The Web Key Directory (WKD) standard allows email clients to discover the OpenPG
In addition to the [email clients we recommend](../email-clients.md) which support WKD, some webmail providers also support WKD. Whether *your own* key is published to WKD for others to use depends on your domain configuration. If you use an [email provider](../email.md#openpgp-compatible-services) which supports WKD, such as Proton Mail or Mailbox.org, they can publish your OpenPGP key on their domain for you.
If you use your own custom domain, you will need to configure WKD separately. If you control your domain name, you can set up WKD regardless of your email provider. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from keys.openpgp.org, by setting a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then uploading your key to [keys.openpgp.org](https://keys.openpgp.org/). Alternatively, you can [self-host WKD on your own web server](https://wiki.gnupg.org/WKDHosting).
If you use your own custom domain, you will need to configure WKD separately. If you control your domain name, you can set up WKD regardless of your email provider. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from keys.openpgp.org, by setting a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then uploading your key to [keys.openpgp.org](https://keys.openpgp.org). Alternatively, you can [self-host WKD on your own web server](https://wiki.gnupg.org/WKDHosting).
If you use a shared domain from a provider which doesn't support WKD, like @gmail.com, you won't be able to share your OpenPGP key with others via this method.
@ -33,7 +33,7 @@ Email providers which allow you to use standard access protocols like IMAP and S
### How Do I Protect My Private Keys?
A smartcard (such as a [YubiKey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) or [Nitrokey](https://www.nitrokey.com)) works by receiving an encrypted email message from a device (phone, tablet, computer, etc.) running an email/webmail client. The message is then decrypted by the smartcard and the decrypted content is sent back to the device.
A smartcard (such as a [YubiKey](https://support.yubico.com/hc/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) or [Nitrokey](https://nitrokey.com)) works by receiving an encrypted email message from a device (phone, tablet, computer, etc.) running an email/webmail client. The message is then decrypted by the smartcard and the decrypted content is sent back to the device.
It is advantageous for the decryption to occur on the smartcard to avoid possibly exposing your private key to a compromised device.

16
docs/basics/multi-factor-authentication.md
View File

@ -29,7 +29,7 @@ TOTP is one of the most common forms of MFA available. When you set up TOTP, you
The time-limited code is then derived from the shared secret and the current time. As the code is only valid for a short time, without access to the shared secret, an adversary cannot generate new codes.
If you have a hardware security key with TOTP support (such as a YubiKey with [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)), we recommend that you store your "shared secrets" on the hardware. Hardware such as the YubiKey was developed with the intention of making the "shared secret" difficult to extract and copy. A YubiKey is also not connected to the Internet, unlike a phone with a TOTP app.
If you have a hardware security key with TOTP support (such as a YubiKey with [Yubico Authenticator](https://yubico.com/products/yubico-authenticator)), we recommend that you store your "shared secrets" on the hardware. Hardware such as the YubiKey was developed with the intention of making the "shared secret" difficult to extract and copy. A YubiKey is also not connected to the Internet, unlike a phone with a TOTP app.
Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against [phishing](https://en.wikipedia.org/wiki/Phishing) or reuse attacks. If an adversary obtains a valid code from you, they may use it as many times as they like until it expires (generally 60 seconds).
@ -121,13 +121,13 @@ Beyond just securing your website logins, multi-factor authentication can be use
### Windows
Yubico has a dedicated [Credential Provider](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) that adds Challenge-Response authentication for the username + password login flow for local Windows accounts. If you have a YubiKey with Challenge-Response authentication support, take a look at the [Yubico Login for Windows Configuration Guide](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), which will allow you to set up MFA on your Windows computer.
Yubico has a dedicated [Credential Provider](https://learn.microsoft.com/windows/win32/secauthn/credential-providers-in-windows) that adds Challenge-Response authentication for the username + password login flow for local Windows accounts. If you have a YubiKey with Challenge-Response authentication support, take a look at the [Yubico Login for Windows Configuration Guide](https://support.yubico.com/hc/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), which will allow you to set up MFA on your Windows computer.
### macOS
macOS has [native support](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) for authentication with smart cards (PIV). If you have a smartcard or a hardware security key that supports the PIV interface such as the YubiKey, we recommend that you follow your smartcard/hardware security vendor's documentation and set up second factor authentication for your macOS computer.
Yubico have a guide [Using Your YubiKey as a Smart Card in macOS](https://support.yubico.com/hc/en-us/articles/360016649059) which can help you set up your YubiKey on macOS.
Yubico have a guide [Using Your YubiKey as a Smart Card in macOS](https://support.yubico.com/hc/articles/360016649059) which can help you set up your YubiKey on macOS.
After your smartcard/security key is set up, we recommend running this command in the Terminal:
@ -146,22 +146,22 @@ If the hostname of your system changes (such as due to DHCP), you would be unabl
</div>
The `pam_u2f` module on Linux can provide two-factor authentication for logging in on most popular Linux distributions. If you have a hardware security key that supports U2F, you can set up MFA authentication for your login. Yubico has a guide [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) which should work on any distribution. The package manager commands—such as `apt-get`—and package names may however differ. This guide does **not** apply to Qubes OS.
The `pam_u2f` module on Linux can provide two-factor authentication for logging in on most popular Linux distributions. If you have a hardware security key that supports U2F, you can set up MFA authentication for your login. Yubico has a guide [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) which should work on any distribution. The package manager commands—such as `apt-get`—and package names may however differ. This guide does **not** apply to Qubes OS.
### Qubes OS
Qubes OS has support for Challenge-Response authentication with YubiKeys. If you have a YubiKey with Challenge-Response authentication support, take a look at the Qubes OS [YubiKey documentation](https://www.qubes-os.org/doc/yubikey/) if you want to set up MFA on Qubes OS.
Qubes OS has support for Challenge-Response authentication with YubiKeys. If you have a YubiKey with Challenge-Response authentication support, take a look at the Qubes OS [YubiKey documentation](https://qubes-os.org/doc/yubikey) if you want to set up MFA on Qubes OS.
### SSH
#### Hardware Security Keys
SSH MFA could be set up using multiple different authentication methods that are popular with hardware security keys. We recommend that you check out Yubico's [documentation](https://developers.yubico.com/SSH/) on how to set this up.
SSH MFA could be set up using multiple different authentication methods that are popular with hardware security keys. We recommend that you check out Yubico's [documentation](https://developers.yubico.com/SSH) on how to set this up.
#### Time-based One-time Password (TOTP)
SSH MFA can also be set up using TOTP. DigitalOcean has provided a tutorial [How To Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). Most things should be the same regardless of distribution, however the package manager commands—such as `apt-get`—and package names may differ.
SSH MFA can also be set up using TOTP. DigitalOcean has provided a tutorial [How To Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04](https://digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). Most things should be the same regardless of distribution, however the package manager commands—such as `apt-get`—and package names may differ.
### KeePass (and KeePassXC)
KeePass and KeePassXC databases can be secured using Challenge-Response or HOTP as a second-factor authentication. Yubico has provided a document for KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) and there is also one on the [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) website.
KeePass and KeePassXC databases can be secured using Challenge-Response or HOTP as a second-factor authentication. Yubico has provided a document for KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/articles/360013779759-Using-Your-YubiKey-with-KeePass) and there is also one on the [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) website.

12
docs/basics/passwords-overview.md
View File

@ -54,13 +54,13 @@ To generate a diceware passphrase using real dice, follow these steps:
<div class="admonition Note" markdown>
<p class="admonition-title">Note</p>
These instructions assume that you are using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate the passphrase, which requires five dice rolls per word. Other wordlists may require more or less rolls per word, and may require a different amount of words to achieve the same entropy.
These instructions assume that you are using [EFF's large wordlist](https://eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate the passphrase, which requires five dice rolls per word. Other wordlists may require more or less rolls per word, and may require a different amount of words to achieve the same entropy.
</div>
1. Roll a six-sided die five times, noting down the number after each roll.
2. As an example, let's say you rolled `2-5-2-6-6`. Look through the [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) for the word that corresponds to `25266`.
2. As an example, let's say you rolled `2-5-2-6-6`. Look through the [EFF's large wordlist](https://eff.org/files/2016/07/18/eff_large_wordlist.txt) for the word that corresponds to `25266`.
3. You will find the word `encrypt`. Write that word down.
@ -75,20 +75,20 @@ You should **not** re-roll words until you get a combination of words that appea
If you don't have access to or would prefer to not use real dice, you can use your password manager's built-in password generator, as most of them have the option to generate diceware passphrases in addition to regular passwords.
We recommend using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate your diceware passphrases, as it offers the exact same security as the original list, while containing words that are easier to memorize. There are also [other wordlists in different languages](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), if you do not want your passphrase to be in English.
We recommend using [EFF's large wordlist](https://eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate your diceware passphrases, as it offers the exact same security as the original list, while containing words that are easier to memorize. There are also [other wordlists in different languages](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), if you do not want your passphrase to be in English.
<details class="note" markdown>
<summary>Explanation of entropy and strength of diceware passphrases</summary>
To demonstrate how strong diceware passphrases are, we'll use the aforementioned seven word passphrase (`viewable fastness reluctant squishy seventeen shown pencil`) and [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) as an example.
To demonstrate how strong diceware passphrases are, we'll use the aforementioned seven word passphrase (`viewable fastness reluctant squishy seventeen shown pencil`) and [EFF's large wordlist](https://eff.org/files/2016/07/18/eff_large_wordlist.txt) as an example.
One metric to determine the strength of a diceware passphrase is how much entropy it has. The entropy per word in a diceware passphrase is calculated as $\text{log}_2(\text{WordsInList})$ and the overall entropy of the passphrase is calculated as $\text{log}_2(\text{WordsInList}^\text{WordsInPhrase})$.
Therefore, each word in the aforementioned list results in ~12.9 bits of entropy ($\text{log}_2(7776)$), and a seven word passphrase derived from it has ~90.47 bits of entropy ($\text{log}_2(7776^7)$).
The [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) contains 7776 unique words. To calculate the amount of possible passphrases, all we have to do is $\text{WordsInList}^\text{WordsInPhrase}$, or in our case, $7776^7$.
The [EFF's large wordlist](https://eff.org/files/2016/07/18/eff_large_wordlist.txt) contains 7776 unique words. To calculate the amount of possible passphrases, all we have to do is $\text{WordsInList}^\text{WordsInPhrase}$, or in our case, $7776^7$.
Let's put all of this in perspective: A seven word passphrase using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) is one of ~1,719,070,799,748,422,500,000,000,000 possible passphrases.
Let's put all of this in perspective: A seven word passphrase using [EFF's large wordlist](https://eff.org/files/2016/07/18/eff_large_wordlist.txt) is one of ~1,719,070,799,748,422,500,000,000,000 possible passphrases.
On average, it takes trying 50% of all the possible combinations to guess your phrase. With that in mind, even if your adversary is capable of ~1,000,000,000,000 guesses per second, it would still take them ~27,255,689 years to guess your passphrase. That is the case even if the following things are true:

14
docs/basics/vpn-overview.md
View File

@ -69,13 +69,13 @@ If you do use Tor then you are *probably* best off connecting to the Tor network
You should not use that feature: The primary advantage of using Tor is that you do not trust your VPN provider, which is negated when you use Tor nodes hosted by your VPN instead of connecting directly to Tor from your computer.
Currently, Tor only supports the TCP protocol. UDP (used by [WebRTC](https://en.wikipedia.org/wiki/WebRTC), [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3), and other protocols), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol), and other packets will be dropped. To compensate for this, VPN providers typically will route all non-TCP packets through their VPN server (your first hop). This is the case with [ProtonVPN](https://protonvpn.com/support/tor-vpn/). Additionally, when using this Tor over VPN setup, you do not have control over other important Tor features such as [Isolated Destination Address](https://www.whonix.org/wiki/Stream_Isolation) (using a different Tor circuit for every domain you visit).
Currently, Tor only supports the TCP protocol. UDP (used by [WebRTC](https://en.wikipedia.org/wiki/WebRTC), [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3), and other protocols), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol), and other packets will be dropped. To compensate for this, VPN providers typically will route all non-TCP packets through their VPN server (your first hop). This is the case with [ProtonVPN](https://protonvpn.com/support/tor-vpn). Additionally, when using this Tor over VPN setup, you do not have control over other important Tor features such as [Isolated Destination Address](https://whonix.org/wiki/Stream_Isolation) (using a different Tor circuit for every domain you visit).
The feature should be viewed as a *convenient* way to access hidden services on Tor, not to stay anonymous. For proper anonymity, use the actual [Tor Browser](../tor.md).
## Commercial VPN Ownership
Most VPN services are owned by the same [few companies](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/). These shady companies run lots of smaller VPN services to create the illusion that you have more choice than you actually do and to maximize profit. Typically, these providers that feed into their shell company have terrible privacy policies and shouldn't be trusted with your internet traffic. You should be very strict about which provider you decide to use.
Most VPN services are owned by the same [few companies](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies). These shady companies run lots of smaller VPN services to create the illusion that you have more choice than you actually do and to maximize profit. Typically, these providers that feed into their shell company have terrible privacy policies and shouldn't be trusted with your internet traffic. You should be very strict about which provider you decide to use.
You should also be wary that many VPN review sites are merely advertising vehicles open to the highest bidder. ==Privacy Guides does not make money from recommending external products, and never uses affiliate programs.==
@ -111,8 +111,8 @@ Many dVPNs are used to push a cryptocurrency rather than to make the best servic
## Related VPN Information
- [The Trouble with VPN and Privacy Review Sites](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites/)
- [Free VPN App Investigation](https://www.top10vpn.com/free-vpn-app-investigation/)
- [Hidden VPN owners unveiled: 101 VPN products run by just 23 companies](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/)
- [This Chinese company is secretly behind 24 popular apps seeking dangerous permissions](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/)
- [VPN - a Very Precarious Narrative](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) by Dennis Schubert
- [The Trouble with VPN and Privacy Review Sites](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites)
- [Free VPN App Investigation](https://top10vpn.com/research/free-vpn-investigations/ownership)
- [Hidden VPN owners unveiled: 101 VPN products run by just 23 companies](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies)
- [This Chinese company is secretly behind 24 popular apps seeking dangerous permissions](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions)
- [VPN - a Very Precarious Narrative](https://overengineer.dev/blog/2019/04/08/very-precarious-narrative.html) by Dennis Schubert

4
docs/basics/why-privacy-matters.md
View File

@ -48,6 +48,6 @@ Privacy is something we need to have baked into the [software and services](../t
## Sources
- [Why Privacy Matters](https://www.amazon.com/Why-Privacy-Matters-Neil-Richards/dp/0190939044) (2021) by Neil Richards
- [The New Oil: Why Privacy & Security Matter](https://thenewoil.org/en/guides/prologue/why/)
- [Why Privacy Matters](https://amazon.com/dp/0190939044) (2021) by Neil Richards
- [The New Oil: Why Privacy & Security Matter](https://thenewoil.org/en/guides/prologue/why)
- [@Thorin-Oakenpants on Anonymity vs Privacy vs Security](https://code.privacyguides.dev/privacyguides/privacytools.io/issues/1760#issuecomment-10452)

16
docs/calendar.md
View File

@ -12,7 +12,7 @@ Calendars contain some of your most sensitive data; use products that implement
![Tuta logo](assets/img/calendar/tuta.svg){ align=right }
**Tuta** offers a free and encrypted calendar across their supported platforms. Features include: automatic E2EE of all data, sharing features, import/export functionality, multi-factor authentication, and [more](https://tuta.com/calendar-app-comparison/).
**Tuta** offers a free and encrypted calendar across their supported platforms. Features include: automatic E2EE of all data, sharing features, import/export functionality, multi-factor authentication, and [more](https://tuta.com/calendar-app-comparison).
Multiple calendars and extended sharing functionality is limited to paid subscribers.
@ -20,18 +20,18 @@ Multiple calendars and extended sharing functionality is limited to paid subscri
[:octicons-eye-16:](https://tuta.com/privacy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://tuta.com/faq){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" }
[:octicons-heart-16:](https://tuta.com/community/){ .card-link title=Contribute }
[:octicons-heart-16:](https://tuta.com/community){ .card-link title=Contribute }
<details class="downloads" markdown>
<summary>Downloads</summary>
- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota)
- [:simple-appstore: App Store](https://apps.apple.com/us/app/tutanota/id922429609)
- [:simple-windows11: Windows](https://tuta.com/blog/posts/desktop-clients/)
- [:simple-apple: macOS](https://tuta.com/blog/posts/desktop-clients/)
- [:simple-linux: Linux](https://tuta.com/blog/posts/desktop-clients/)
- [:simple-appstore: App Store](https://apps.apple.com/app/id922429609)
- [:simple-windows11: Windows](https://tuta.com/blog/posts/desktop-clients)
- [:simple-apple: macOS](https://tuta.com/blog/posts/desktop-clients)
- [:simple-linux: Linux](https://tuta.com/blog/posts/desktop-clients)
- [:simple-flathub: Flathub](https://flathub.org/apps/com.tutanota.Tutanota)
- [:octicons-browser-16: Web](https://app.tuta.com/)
- [:octicons-browser-16: Web](https://app.tuta.com)
</details>
@ -54,7 +54,7 @@ Multiple calendars and extended sharing functionality is limited to paid subscri
<summary>Downloads</summary>
- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar)
- [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1514709943)
- [:simple-appstore: App Store](https://apps.apple.com/app/id1514709943)
- [:octicons-browser-16: Web](https://calendar.proton.me)
</details>

14
docs/cloud.md
View File

@ -55,15 +55,15 @@ Proton Drive's brand new mobile clients have not yet been publicly audited by a
**Tresorit** is a Swiss-Hungarian encrypted cloud storage provider founded in 2011. Tresorit is owned by the Swiss Post, the national postal service of Switzerland.
[:octicons-home-16: Homepage](https://tresorit.com/){ class="md-button md-button--primary" }
[:octicons-home-16: Homepage](https://tresorit.com){ class="md-button md-button--primary" }
[:octicons-eye-16:](https://tresorit.com/legal/privacy-policy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://support.tresorit.com/hc/en-us){ .card-link title=Documentation}
[:octicons-info-16:](https://support.tresorit.com){ .card-link title=Documentation}
<details class="downloads" markdown>
<summary>Downloads</summary>
- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.tresorit.mobile)
- [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id722163232)
- [:simple-appstore: App Store](https://apps.apple.com/app/id722163232)
- [:simple-windows11: Windows](https://tresorit.com/download)
- [:simple-apple: macOS](https://tresorit.com/download)
- [:simple-linux: Linux](https://tresorit.com/download)
@ -74,17 +74,17 @@ Proton Drive's brand new mobile clients have not yet been publicly audited by a
Tresorit has received a number of independent security audits:
- [2022](https://tresorit.com/blog/tresorit-receives-iso-27001-certification/): ISO/IEC 27001:2013[^1] Compliance [Certification](https://www.certipedia.com/quality_marks/9108644476) by TÜV Rheinland InterCert Kft
- [2021](https://tresorit.com/blog/fresh-penetration-testing-confirms-tresorit-security/): Penetration Testing by Computest
- [2022](https://tresorit.com/blog/tresorit-receives-iso-27001-certification): ISO/IEC 27001:2013[^1] Compliance [Certification](https://certipedia.com/quality_marks/9108644476) by TÜV Rheinland InterCert Kft
- [2021](https://tresorit.com/blog/fresh-penetration-testing-confirms-tresorit-security): Penetration Testing by Computest
- This review assessed the security of the Tresorit web client, Android app, Windows app, and associated infrastructure.
- Computest discovered two vulnerabilities which have been resolved.
- [2019](https://tresorit.com/blog/ernst-young-review-verifies-tresorits-security-architecture/): Penetration Testing by Ernst & Young.
- [2019](https://tresorit.com/blog/ernst-young-review-verifies-tresorits-security-architecture): Penetration Testing by Ernst & Young.
- This review analyzed the full source code of Tresorit and validated that the implementation matches the concepts described in Tresorit's [white paper](https://prodfrontendcdn.azureedge.net/202208011608/tresorit-encryption-whitepaper.pdf).
- Ernst & Young additionally tested the web, mobile, and desktop clients: "Test results found no deviation from Tresorits data confidentiality claims."
[^1]: [ISO/IEC 27001](https://en.wikipedia.org/wiki/ISO/IEC_27001):2013 compliance relates to the company's [information security management system](https://en.wikipedia.org/wiki/Information_security_management) and covers the sales, development, maintenance and support of their cloud services.
They have also received the Digital Trust Label, a certification from the [Swiss Digital Initiative](https://www.swiss-digital-initiative.org/digital-trust-label/) which requires passing [35 criteria](https://digitaltrust-label.swiss/criteria/) related to security, privacy, and reliability.
They have also received the Digital Trust Label, a certification from the [Swiss Digital Initiative](https://www.efd.admin.ch/efd/en/home/digitalisierung/swiss-digital-initiative.html) which requires passing [35 criteria](https://digitaltrust-label.swiss/criteria) related to security, privacy, and reliability.
## Criteria

18
docs/cryptocurrency.md
View File

@ -24,10 +24,10 @@ Many if not most cryptocurrency projects are scams. Make transactions carefully
**Monero** uses a blockchain with privacy-enhancing technologies that obfuscate transactions to achieve anonymity. Every Monero transaction hides the transaction amount, sending and receiving addresses, and source of funds without any hoops to jump through, making it an ideal choice for cryptocurrency novices.
[:octicons-home-16: Homepage](https://www.getmonero.org/){ .md-button .md-button--primary }
[:octicons-info-16:](https://www.getmonero.org/resources/user-guides/){ .card-link title=Documentation}
[:octicons-home-16: Homepage](https://getmonero.org){ .md-button .md-button--primary }
[:octicons-info-16:](https://getmonero.org/resources/user-guides){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/monero-project/monero){ .card-link title="Source Code" }
[:octicons-heart-16:](https://www.getmonero.org/get-started/contributing/){ .card-link title=Contribute }
[:octicons-heart-16:](https://getmonero.org/get-started/contributing){ .card-link title=Contribute }
</details>
@ -38,16 +38,16 @@ With Monero, outside observers cannot decipher addresses trading Monero, transac
For optimal privacy, make sure to use a noncustodial wallet where the view key stays on the device. This means that only you will have the ability to spend your funds and see incoming and outgoing transactions. If you use a custodial wallet, the provider can see **everything** you do; if you use a “lightweight” wallet where the provider retains your private view key, the provider can see almost everything you do. Some noncustodial wallets include:
- [Official Monero client](https://getmonero.org/downloads) (Desktop)
- [Cake Wallet](https://cakewallet.com/) (iOS, Android)
- Cake Wallet supports multiple cryptocurrencies. A Monero-only version of Cake Wallet is available at [Monero.com](https://monero.com/).
- [Feather Wallet](https://featherwallet.org/) (Desktop)
- [Monerujo](https://www.monerujo.io/) (Android)
- [Cake Wallet](https://cakewallet.com) (iOS, Android)
- Cake Wallet supports multiple cryptocurrencies. A Monero-only version of Cake Wallet is available at [Monero.com](https://monero.com).
- [Feather Wallet](https://featherwallet.org) (Desktop)
- [Monerujo](https://monerujo.io) (Android)
For maximum privacy (even with a noncustodial wallet), you should run your own Monero node. Using another persons node will expose some information to them, such as the IP address that you connect to it from, the timestamps that you sync your wallet, and the transactions that you send from your wallet (though no other details about those transactions). Alternatively, you can connect to someone elses Monero node over Tor or i2p.
In August 2021, CipherTrace [announced](https://ciphertrace.com/enhanced-monero-tracing/) enhanced Monero tracing capabilities for government agencies. Public postings show that the US Department of the Treasury's Financial Crimes Enforcement Network [licensed](https://sam.gov/opp/d12cbe9afbb94ca68006d0f006d355ac/view) CipherTrace's "Monero Module" in late 2022.
In August 2021, CipherTrace [announced](https://ciphertrace.com/enhanced-monero-tracing) enhanced Monero tracing capabilities for government agencies. Public postings show that the US Department of the Treasury's Financial Crimes Enforcement Network [licensed](https://sam.gov/opp/d12cbe9afbb94ca68006d0f006d355ac/view) CipherTrace's "Monero Module" in late 2022.
Monero transaction graph privacy is limited by its relatively small ring signatures, especially against targeted attacks. Monero's privacy features have also been [called into question](https://web.archive.org/web/20180331203053/https://www.wired.com/story/monero-privacy/) by some security researchers, and a number of severe vulnerabilities have been found and patched in the past, so the claims made by organizations like CipherTrace are not out of the question. While it's unlikely that Monero mass surveillance tools exist like they do for Bitcoin and others, it's certain that tracing tools assist with targeted investigations.
Monero transaction graph privacy is limited by its relatively small ring signatures, especially against targeted attacks. Monero's privacy features have also been [called into question](https://web.archive.org/web/20180331203053/https://wired.com/story/monero-privacy) by some security researchers, and a number of severe vulnerabilities have been found and patched in the past, so the claims made by organizations like CipherTrace are not out of the question. While it's unlikely that Monero mass surveillance tools exist like they do for Bitcoin and others, it's certain that tracing tools assist with targeted investigations.
Ultimately, Monero is the strongest contender for a privacy-friendly cryptocurrency, but its privacy claims have **not** been definitively proven one way or the other. More time and research is needed to assess whether Monero is resilient enough to attacks to always provide adequate privacy.

8
docs/data-redaction.md
View File

@ -87,12 +87,12 @@ The app offers multiple ways to erase metadata from images. Namely:
**Metapho** is a simple and clean viewer for photo metadata such as date, file name, size, camera model, shutter speed, and location.
[:octicons-home-16: Homepage](https://zininworks.com/metapho){ .md-button .md-button--primary }
[:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="Privacy Policy" }
[:octicons-eye-16:](https://zininworks.com/privacy){ .card-link title="Privacy Policy" }
<details class="downloads" markdown>
<summary>Downloads</summary>
- [:simple-appstore: App Store](https://apps.apple.com/us/app/metapho/id914457352)
- [:simple-appstore: App Store](https://apps.apple.com/app/id914457352)
</details>
@ -106,7 +106,7 @@ The app offers multiple ways to erase metadata from images. Namely:
**PrivacyBlur** is a free app which can blur sensitive portions of pictures before sharing them online.
[:octicons-home-16: Homepage](https://privacyblur.app/){ .md-button .md-button--primary }
[:octicons-home-16: Homepage](https://privacyblur.app){ .md-button .md-button--primary }
[:octicons-eye-16:](https://privacyblur.app/privacy.html){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://github.com/MATHEMA-GmbH/privacyblur#readme){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/MATHEMA-GmbH/privacyblur){ .card-link title="Source Code" }
@ -115,7 +115,7 @@ The app offers multiple ways to erase metadata from images. Namely:
<summary>Downloads</summary>
- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur)
- [:simple-appstore: App Store](https://apps.apple.com/us/app/privacyblur/id1536274106)
- [:simple-appstore: App Store](https://apps.apple.com/app/id1536274106)
</details>

70
docs/desktop-browsers.md
View File

@ -5,13 +5,13 @@ icon: material/laptop
description: These web browsers provide stronger privacy protections than Google Chrome.
cover: desktop-browsers.webp
schema:
-
-
"@context": http://schema.org
"@type": WebPage
name: Private Desktop Browser Recommendations
url: "./"
relatedLink: "../mobile-browsers/"
-
-
"@context": http://schema.org
"@type": SoftwareApplication
name: Mullvad Browser
@ -25,7 +25,7 @@ schema:
subjectOf:
"@type": WebPage
url: "./"
-
-
"@context": http://schema.org
"@type": SoftwareApplication
name: Firefox
@ -40,7 +40,7 @@ schema:
subjectOf:
"@type": WebPage
url: "./"
-
-
"@context": http://schema.org
"@type": SoftwareApplication
name: Brave
@ -69,8 +69,8 @@ If you need to browse the internet anonymously, you should use [Tor](tor.md) ins
**Mullvad Browser** is a version of [Tor Browser](tor.md#tor-browser) with Tor network integrations removed, aimed at providing Tor Browser's anti-fingerprinting browser technologies to VPN users. It is developed by the Tor Project and distributed by [Mullvad](vpn.md#mullvad), and does **not** require the use of Mullvad's VPN.
[:octicons-home-16: Homepage](https://mullvad.net/en/browser){ .md-button .md-button--primary }
[:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://mullvad.net/en/help/tag/mullvad-browser/){ .card-link title=Documentation}
[:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://mullvad.net/en/help/tag/mullvad-browser){ .card-link title=Documentation}
[:octicons-code-16:](https://gitlab.torproject.org/tpo/applications/mullvad-browser){ .card-link title="Source Code" }
<details class="downloads" markdown>
@ -84,7 +84,7 @@ If you need to browse the internet anonymously, you should use [Tor](tor.md) ins
</div>
Like [Tor Browser](tor.md), Mullvad Browser is designed to prevent fingerprinting by making your browser fingerprint identical to all other Mullvad Browser users, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. Therefore, it is imperative that you do not modify the browser at all outside adjusting the default [security levels](https://tb-manual.torproject.org/security-settings/). Other modifications would make your fingerprint unique, defeating the purpose of using this browser. If you want to configure your browser more heavily and fingerprinting is not a concern for you, we recommend [Firefox](#firefox) instead.
Like [Tor Browser](tor.md), Mullvad Browser is designed to prevent fingerprinting by making your browser fingerprint identical to all other Mullvad Browser users, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. Therefore, it is imperative that you do not modify the browser at all outside adjusting the default [security levels](https://tb-manual.torproject.org/security-settings). Other modifications would make your fingerprint unique, defeating the purpose of using this browser. If you want to configure your browser more heavily and fingerprinting is not a concern for you, we recommend [Firefox](#firefox) instead.
### Anti-Fingerprinting
@ -115,17 +115,17 @@ Mullvad Browser comes with DuckDuckGo set as the default [search engine](search-
**Firefox** provides strong privacy settings such as [Enhanced Tracking Protection](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop), which can help block various [types of tracking](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop#w_what-enhanced-tracking-protection-blocks).
[:octicons-home-16: Homepage](https://firefox.com){ .md-button .md-button--primary }
[:octicons-eye-16:](https://www.mozilla.org/privacy/firefox/){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://firefox-source-docs.mozilla.org/){ .card-link title=Documentation}
[:octicons-eye-16:](https://mozilla.org/privacy/firefox){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://firefox-source-docs.mozilla.org){ .card-link title=Documentation}
[:octicons-code-16:](https://hg.mozilla.org/mozilla-central){ .card-link title="Source Code" }
[:octicons-heart-16:](https://donate.mozilla.org/){ .card-link title=Contribute }
[:octicons-heart-16:](https://donate.mozilla.org){ .card-link title=Contribute }
<details class="downloads" markdown>
<summary>Downloads</summary>
- [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows)
- [:simple-apple: macOS](https://www.mozilla.org/firefox/mac)
- [:simple-linux: Linux](https://www.mozilla.org/firefox/linux)
- [:simple-windows11: Windows](https://mozilla.org/firefox/windows)
- [:simple-apple: macOS](https://mozilla.org/firefox/mac)
- [:simple-linux: Linux](https://mozilla.org/firefox/linux)
- [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox)
</details>
@ -135,7 +135,7 @@ Mullvad Browser comes with DuckDuckGo set as the default [search engine](search-
<div class="admonition warning" markdown>
<p class="admonition-title">Warning</p>
Firefox includes a unique [download token](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) in downloads from Mozilla's website and uses telemetry in Firefox to send the token. The token is **not** included in releases from the [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/).
Firefox includes a unique [download token](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) in downloads from Mozilla's website and uses telemetry in Firefox to send the token. The token is **not** included in releases from the [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases).
</div>
@ -161,7 +161,7 @@ This protects you by blocking social media trackers, fingerprinting scripts (not
##### Firefox Suggest (US only)
[Firefox Suggest](https://support.mozilla.org/en-US/kb/firefox-suggest) is a feature similar to search suggestions which is only available in the US. We recommend disabling it for the same reason we recommend disabling search suggestions. If you don't see these options under the **Address Bar** header, you do not have the new experience and can ignore these changes.
[Firefox Suggest](https://support.mozilla.org/kb/firefox-suggest) is a feature similar to search suggestions which is only available in the US. We recommend disabling it for the same reason we recommend disabling search suggestions. If you don't see these options under the **Address Bar** header, you do not have the new experience and can ignore these changes.
- [ ] Uncheck **Suggestions from the web**
- [ ] Uncheck **Suggestions from sponsors**
@ -182,7 +182,7 @@ This protects you from persistent cookies, but does not protect you against cook
> Firefox sends data about your Firefox version and language; device operating system and hardware configuration; memory, basic information about crashes and errors; outcome of automated processes like updates, safebrowsing, and activation to us. When Firefox sends data to us, your IP address is temporarily collected as part of our server logs.
Additionally, the Firefox Accounts service collects [some technical data](https://www.mozilla.org/en-US/privacy/firefox/#firefox-accounts). If you use a Firefox Account you can opt-out:
Additionally, the Firefox Accounts service collects [some technical data](https://mozilla.org/privacy/firefox/#firefox-accounts). If you use a Firefox Account you can opt-out:
1. Open your [profile settings on accounts.firefox.com](https://accounts.firefox.com/settings#data-collection)
2. Uncheck **Data Collection and Use** > **Help improve Firefox Accounts**
@ -203,7 +203,7 @@ Max Protection enforces the use of DNS over HTTPS, and a security warning will s
#### Sync
[Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices and protects it with E2EE.
[Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices and protects it with E2EE.
### Arkenfox (advanced)
@ -214,7 +214,7 @@ Max Protection enforces the use of DNS over HTTPS, and a security warning will s
</div>
The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of carefully considered options for Firefox. If you [decide](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) to use Arkenfox, a [few options](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) are subjectively strict and/or may cause some websites to not work properly - [which you can easily change](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) to suit your needs. We **strongly recommend** reading through their full [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox also enables [container](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users) support.
The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of carefully considered options for Firefox. If you [decide](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) to use Arkenfox, a [few options](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) are subjectively strict and/or may cause some websites to not work properly - [which you can easily change](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) to suit your needs. We **strongly recommend** reading through their full [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox also enables [container](https://support.mozilla.org/kb/containers#w_for-advanced-users) support.
Arkenfox only aims to thwart basic or naive tracking scripts through canvas randomization and Firefox's built-in fingerprint resistance configuration settings. It does not aim to make your browser blend in with a large crowd of other Arkenfox users in the same way Mullvad Browser or Tor Browser do, which is the only way to thwart advanced fingerprint tracking scripts. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise trust, and Mullvad Browser for general browsing.
@ -224,23 +224,23 @@ Arkenfox only aims to thwart basic or naive tracking scripts through canvas rand
![Brave logo](assets/img/browsers/brave.svg){ align=right }
**Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default.
**Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features), many of which are enabled by default.
Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues.
[:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary }
[:octicons-home-16: Homepage](https://brave.com){ .md-button .md-button--primary }
[:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" }
[:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation}
[:octicons-eye-16:](https://brave.com/privacy/browser){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://support.brave.com){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" }
<details class="downloads" markdown>
<summary>Downloads</summary>
- [:simple-github: GitHub](https://github.com/brave/brave-browser/releases)
- [:simple-windows11: Windows](https://brave.com/download/)
- [:simple-apple: macOS](https://brave.com/download/)
- [:simple-linux: Linux](https://brave.com/linux/) (1)
- [:simple-windows11: Windows](https://brave.com/download)
- [:simple-apple: macOS](https://brave.com/download)
- [:simple-linux: Linux](https://brave.com/linux) (1)
</details>
@ -265,7 +265,7 @@ These options can be found in :material-menu: → **Settings**.
##### Shields
Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit.
Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/articles/360022973471-What-is-Shields) feature. We suggest configuring these options [globally](https://support.brave.com/hc/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings) across all pages that you visit.
Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following:
@ -289,14 +289,14 @@ Brave allows you to select additional content filters within the internal `brave
</div>
1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension.
1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net) extension.
2. If you wish to stay logged in to a particular site you visit often, you can set exceptions on a per-site basis by clicking on the Shield icon in the address bar.
##### Privacy and security
<div class="annotate" markdown>
- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc)
- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/articles/360017989132-How-do-I-change-my-Privacy-Settings#webrtc)
- [ ] Uncheck **Use Google services for push messaging**
- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)**
- [ ] Uncheck **Automatically send daily usage ping to Brave**
@ -305,7 +305,7 @@ Brave allows you to select additional content filters within the internal `brave
</div>
1. Brave is **not** as resistant to fingerprinting as the Tor Browser and far fewer people use Brave with Tor, so you will stand out. Where [strong anonymity is required](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) use the [Tor Browser](tor.md#tor-browser).
1. Brave is **not** as resistant to fingerprinting as the Tor Browser and far fewer people use Brave with Tor, so you will stand out. Where [strong anonymity is required](https://support.brave.com/hc/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity) use the [Tor Browser](tor.md#tor-browser).
<div class="admonition tip" markdown>
<p class="admonition-title">Sanitizing on close</p>
@ -342,7 +342,7 @@ Brave's Web3 features can potentially add to your browser fingerprint and attack
#### Sync
[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE.
[Brave Sync](https://support.brave.com/hc/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE.
#### Brave Rewards and Wallet
@ -370,7 +370,7 @@ In general, we recommend keeping your browser extensions to a minimum to decreas
<details class="downloads" markdown>
<summary>Downloads</summary>
- [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/)
- [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin)
- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm)
- [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak)
@ -407,7 +407,7 @@ uBlock Origin also has a "Lite" version of their extension, which offers a very
<details class="downloads" markdown>
<summary>Downloads</summary>
- [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/addon/ublock-origin-lite/)
- [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/addon/ublock-origin-lite)
- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin-lite/ddkjiahejlhfcafbddmgiahcphecmpfh)
</details>
@ -441,14 +441,14 @@ We are working on establishing defined criteria for every section of our site, a
- Available on Linux, macOS, and Windows.
- Any changes required to make the browser more privacy-respecting should not negatively impact user experience.
- Blocks third-party cookies by default.
- Supports [state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) to mitigate cross-site tracking.[^2]
- Supports [state partitioning](https://developer.mozilla.org/docs/Web/Privacy/State_Partitioning) to mitigate cross-site tracking.[^2]
### Best-Case
Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
- Includes built-in content blocking functionality.
- Supports cookie compartmentalization (à la [Multi-Account Containers](https://support.mozilla.org/en-US/kb/containers)).
- Supports cookie compartmentalization (à la [Multi-Account Containers](https://support.mozilla.org/kb/containers)).
- Supports Progressive Web Apps.
PWAs enable you to install certain websites as if they were native apps on your computer. This can have advantages over installing Electron-based apps, because you benefit from your browser's regular security updates.
- Does not include add-on functionality (bloatware) that does not impact user privacy.
@ -462,4 +462,4 @@ Our best-case criteria represents what we would like to see from the perfect pro
- Must directly impact user privacy, i.e. must not simply provide information.
[^1]: uBlock Origin Lite *itself* will consume no resources, because it uses newer APIs which make the browser process the filter lists natively, instead of running JavaScript code within the extension to handle the filtering. However, this resource advantage is only [theoretical](https://github.com/uBlockOrigin/uBOL-home/wiki/Frequently-asked-questions-(FAQ)#is-ubol-more-efficient-cpu--and-memory-wise-than-ubo), because it's possible that standard uBlock Origin's filtering code is more efficient than your browser's native filtering code. This has not yet been benchmarked.
[^2]: Brave's implementation is detailed at [Brave Privacy Updates: Partitioning network-state for privacy](https://brave.com/privacy-updates/14-partitioning-network-state/).
[^2]: Brave's implementation is detailed at [Brave Privacy Updates: Partitioning network-state for privacy](https://brave.com/privacy-updates/14-partitioning-network-state).

76
docs/desktop.md
View File

@ -16,17 +16,17 @@ Linux distributions are commonly recommended for privacy protection and software
![Fedora logo](assets/img/linux-desktop/fedora.svg){ align=right }
**Fedora Workstation** is our recommended distribution for people new to Linux. Fedora generally adopts newer technologies before other distributions e.g., [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org). These new technologies often come with improvements in security, privacy, and usability in general.
**Fedora Workstation** is our recommended distribution for people new to Linux. Fedora generally adopts newer technologies before other distributions e.g., [Wayland](https://wayland.freedesktop.org), [PipeWire](https://pipewire.org). These new technologies often come with improvements in security, privacy, and usability in general.
[:octicons-home-16: Homepage](https://fedoraproject.org/workstation/){ .md-button .md-button--primary }
[:octicons-info-16:](https://docs.fedoraproject.org/en-US/docs/){ .card-link title=Documentation}
[:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute }
[:octicons-home-16: Homepage](https://fedoraproject.org/workstation){ .md-button .md-button--primary }
[:octicons-info-16:](https://docs.fedoraproject.org/en-US/docs){ .card-link title=Documentation}
[:octicons-heart-16:](https://whatcanidoforfedora.org){ .card-link title=Contribute }
</details>
</div>
Fedora has a semi-rolling release cycle. While some packages like [GNOME](https://www.gnome.org) are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months.
Fedora has a semi-rolling release cycle. While some packages like [GNOME](https://gnome.org) are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months.
### openSUSE Tumbleweed
@ -36,11 +36,11 @@ Fedora has a semi-rolling release cycle. While some packages like [GNOME](https:
**openSUSE Tumbleweed** is a stable rolling release distribution.
openSUSE Tumbleweed has a [transactional update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) system that uses [Btrfs](https://en.wikipedia.org/wiki/Btrfs) and [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) to ensure that snapshots can be rolled back should there be a problem.
openSUSE Tumbleweed has a [transactional update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates) system that uses [Btrfs](https://en.wikipedia.org/wiki/Btrfs) and [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) to ensure that snapshots can be rolled back should there be a problem.
[:octicons-home-16: Homepage](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary }
[:octicons-info-16:](https://doc.opensuse.org/){ .card-link title=Documentation}
[:octicons-heart-16:](https://shop.opensuse.org/){ .card-link title=Contribute }
[:octicons-home-16: Homepage](https://get.opensuse.org/tumbleweed){ .md-button .md-button--primary }
[:octicons-info-16:](https://doc.opensuse.org){ .card-link title=Documentation}
[:octicons-heart-16:](https://shop.opensuse.org){ .card-link title=Contribute }
</details>
@ -56,9 +56,9 @@ Tumbleweed follows a rolling release model where each update is released as a sn
**Arch Linux** is a lightweight, do-it-yourself (DIY) distribution meaning that you only get what you install. For more information see their [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions).
[:octicons-home-16: Homepage](https://archlinux.org/){ .md-button .md-button--primary }
[:octicons-info-16:](https://wiki.archlinux.org/){ .card-link title=Documentation}
[:octicons-heart-16:](https://archlinux.org/donate/){ .card-link title=Contribute }
[:octicons-home-16: Homepage](https://archlinux.org){ .md-button .md-button--primary }
[:octicons-info-16:](https://wiki.archlinux.org){ .card-link title=Documentation}
[:octicons-heart-16:](https://archlinux.org/donate){ .card-link title=Contribute }
</details>
@ -82,22 +82,22 @@ A large portion of [Arch Linuxs packages](https://reproducible.archlinux.org)
**Fedora Atomic Desktops** are variants of Fedora which use the `rpm-ostree` package manager and have a strong focus on containerized workflows and Flatpak for desktop applications. All of these variants follow the same release schedule as Fedora Workstation, benefiting from the same fast updates and staying very close to upstream.
[:octicons-home-16: Homepage](https://fedoraproject.org/atomic-desktops/){ .md-button .md-button--primary }
[:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute }
[:octicons-home-16: Homepage](https://fedoraproject.org/atomic-desktops){ .md-button .md-button--primary }
[:octicons-heart-16:](https://whatcanidoforfedora.org){ .card-link title=Contribute }
</details>
</div>
The [Fedora Atomic Desktops](https://fedoramagazine.org/introducing-fedora-atomic-desktops/) come in a variety of flavors depending on the desktop environment you prefer, such as **Fedora Silverblue** (which comes with [GNOME](https://www.gnome.org/)), **Fedora Kinoite**, (which comes with [KDE](https://kde.org/)), **Fedora Sway Atomic**, or **Fedora Budgie Atomic**. However, we don't recommend the last of these as the Budgie desktop environment [still requires X11](https://buddiesofbudgie.org/blog/wayland).
The [Fedora Atomic Desktops](https://fedoramagazine.org/introducing-fedora-atomic-desktops) come in a variety of flavors depending on the desktop environment you prefer, such as **Fedora Silverblue** (which comes with [GNOME](https://gnome.org)), **Fedora Kinoite**, (which comes with [KDE](https://kde.org)), **Fedora Sway Atomic**, or **Fedora Budgie Atomic**. However, we don't recommend the last of these as the Budgie desktop environment [still requires X11](https://buddiesofbudgie.org/blog/wayland).
These operating systems differ from Fedora Workstation as they replace the [DNF](https://docs.fedoraproject.org/en-US/quick-docs/dnf/) package manager with a much more advanced alternative called [`rpm-ostree`](https://docs.fedoraproject.org/en-US/fedora/latest/system-administrators-guide/package-management/rpm-ostree/). The `rpm-ostree` package manager works by downloading a base image for the system, then overlaying packages over it in a [git](https://en.wikipedia.org/wiki/Git)-like commit tree. When the system is updated, a new base image is downloaded and the overlays will be applied to that new image.
These operating systems differ from Fedora Workstation as they replace the [DNF](https://docs.fedoraproject.org/en-US/quick-docs/dnf) package manager with a much more advanced alternative called [`rpm-ostree`](https://docs.fedoraproject.org/en-US/fedora/latest/system-administrators-guide/package-management/rpm-ostree). The `rpm-ostree` package manager works by downloading a base image for the system, then overlaying packages over it in a [git](https://en.wikipedia.org/wiki/Git)-like commit tree. When the system is updated, a new base image is downloaded and the overlays will be applied to that new image.
After the update is complete you will reboot the system into the new deployment. `rpm-ostree` keeps two deployments of the system so that you can easily rollback if something breaks in the new deployment. There is also the option to pin more deployments as needed.
[Flatpak](https://www.flatpak.org) is the primary package installation method on these distributions, as `rpm-ostree` is only meant to overlay packages that cannot stay inside of a container on top of the base image.
[Flatpak](https://flatpak.org) is the primary package installation method on these distributions, as `rpm-ostree` is only meant to overlay packages that cannot stay inside of a container on top of the base image.
As an alternative to Flatpaks, there is the option of [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) to create [Podman](https://podman.io) containers with a shared home directory with the host operating system and mimic a traditional Fedora environment, which is a [useful feature](https://containertoolbx.org) for the discerning developer.
As an alternative to Flatpaks, there is the option of [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox) to create [Podman](https://podman.io) containers with a shared home directory with the host operating system and mimic a traditional Fedora environment, which is a [useful feature](https://containertoolbx.org) for the discerning developer.
### NixOS
@ -107,7 +107,7 @@ As an alternative to Flatpaks, there is the option of [Toolbox](https://docs.fed
NixOS is an independent distribution based on the Nix package manager with a focus on reproducibility and reliability.
[:octicons-home-16: Homepage](https://nixos.org/){ .md-button .md-button--primary }
[:octicons-home-16: Homepage](https://nixos.org){ .md-button .md-button--primary }
[:octicons-info-16:](https://nixos.org/learn.html){ .card-link title=Documentation}
[:octicons-heart-16:](https://nixos.org/donate.html){ .card-link title=Contribute }
@ -135,10 +135,10 @@ Nix is a source-based package manager; if theres no pre-built available in th
**Whonix** is based on [Kicksecure](#kicksecure), a security-focused fork of Debian. It aims to provide privacy, security, and anonymity on the internet. Whonix is best used in conjunction with [Qubes OS](#qubes-os).
[:octicons-home-16: Homepage](https://www.whonix.org/){ .md-button .md-button--primary }
[:simple-torbrowser:](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="Onion Service" }
[:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=Documentation}
[:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=Contribute }
[:octicons-home-16: Homepage](https://whonix.org){ .md-button .md-button--primary }
[:simple-torbrowser:](http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="Onion Service" }
[:octicons-info-16:](https://whonix.org/wiki/Documentation){ .card-link title=Documentation}
[:octicons-heart-16:](https://whonix.org/wiki/Donate){ .card-link title=Contribute }
</details>
@ -146,9 +146,9 @@ Nix is a source-based package manager; if theres no pre-built available in th
Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. This means that even if the Workstation is compromised by malware of some kind, the true IP address remains hidden.
Some of its features include Tor Stream Isolation, [keystroke anonymization](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [encrypted swap](https://github.com/Whonix/swap-file-creator), and a hardened memory allocator. Future versions of Whonix will likely include [full system AppArmor policies](https://github.com/Whonix/apparmor-profile-everything) and a [sandbox app launcher](https://www.whonix.org/wiki/Sandbox-app-launcher) to fully confine all processes on the system.
Some of its features include Tor Stream Isolation, [keystroke anonymization](https://whonix.org/wiki/Keystroke_Deanonymization#Kloak), [encrypted swap](https://github.com/Whonix/swap-file-creator), and a hardened memory allocator. Future versions of Whonix will likely include [full system AppArmor policies](https://github.com/Whonix/apparmor-profile-everything) and a [sandbox app launcher](https://whonix.org/wiki/Sandbox-app-launcher) to fully confine all processes on the system.
Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers). We have a [recommended guide](os/qubes-overview.md#connecting-to-tor-via-a-vpn) on configuring Whonix in conjunction with a VPN ProxyVM in Qubes to hide your Tor activities from your ISP.
Whonix is best used [in conjunction with Qubes](https://whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers). We have a [recommended guide](os/qubes-overview.md#connecting-to-tor-via-a-vpn) on configuring Whonix in conjunction with a VPN ProxyVM in Qubes to hide your Tor activities from your ISP.
### Tails
@ -158,9 +158,9 @@ Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qube
**Tails** is a live operating system based on Debian that routes all communications through Tor, which can boot on on almost any computer from a DVD, USB stick, or SD card installation. It uses [Tor](tor.md) to preserve privacy and anonymity while circumventing censorship, and it leaves no trace of itself on the computer it is used on after it is powered off.
[:octicons-home-16: Homepage](https://tails.boum.org/){ .md-button .md-button--primary }
[:octicons-info-16:](https://tails.boum.org/doc/index.en.html){ .card-link title=Documentation}
[:octicons-heart-16:](https://tails.boum.org/donate/){ .card-link title=Contribute }
[:octicons-home-16: Homepage](https://tails.net){ .md-button .md-button--primary }
[:octicons-info-16:](https://tails.net/doc/index.en.html){ .card-link title=Documentation}
[:octicons-heart-16:](https://tails.net/donate){ .card-link title=Contribute }
</details>
@ -177,7 +177,7 @@ Tails is great for counter forensics due to amnesia (meaning nothing is written
Tails includes [uBlock Origin](desktop-browsers.md#ublock-origin) in Tor Browser by default, which may potentially make it easier for adversaries to fingerprint Tails users. [Whonix](desktop.md#whonix) virtual machines may be more leak-proof, however they are not amnesic, meaning data may be recovered from your storage device.
By design, Tails is meant to completely reset itself after each reboot. Encrypted [persistent storage](https://tails.boum.org/doc/persistent_storage/index.en.html) can be configured to store some data between reboots.
By design, Tails is meant to completely reset itself after each reboot. Encrypted [persistent storage](https://tails.net/doc/persistent_storage/index.en.html) can be configured to store some data between reboots.
## Security-focused Distributions
@ -189,12 +189,12 @@ By design, Tails is meant to completely reset itself after each reboot. Encrypte
**Qubes OS** is an open-source operating system designed to provide strong security for desktop computing through secure virtual machines (or "qubes"). Qubes is based on Xen, the X Window System, and Linux. It can run most Linux applications and use most of the Linux drivers.
[:octicons-home-16: Homepage](https://www.qubes-os.org/){ .md-button .md-button--primary }
[:octicons-home-16: Homepage](https://qubes-os.org){ .md-button .md-button--primary }
[:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Onion Service" }
[:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title=Documentation }
[:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="Source Code" }
[:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=Contribute }
[:octicons-eye-16:](https://qubes-os.org/privacy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://qubes-os.org/doc){ .card-link title=Documentation }
[:octicons-code-16:](https://github.com/QubesOS){ .card-link title="Source Code" }
[:octicons-heart-16:](https://qubes-os.org/donate){ .card-link title=Contribute }
</details>
@ -214,11 +214,11 @@ While we [recommend against](os/linux-overview.md#release-cycle) "perpetually ou
**Kicksecure**—in oversimplified terms—is a set of scripts, configurations, and packages that substantially reduce the attack surface of Debian. It covers a lot of privacy and hardening recommendations by default. It also serves as the base OS for [Whonix](#whonix).
[:octicons-home-16: Homepage](https://www.kicksecure.com/){ .md-button .md-button--primary }
[:octicons-eye-16:](https://www.kicksecure.com/wiki/Privacy_Policy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://www.kicksecure.com/wiki/Documentation){ .card-link title=Documentation }
[:octicons-home-16: Homepage](https://kicksecure.com){ .md-button .md-button--primary }
[:octicons-eye-16:](https://kicksecure.com/wiki/Privacy_Policy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://kicksecure.com/wiki/Documentation){ .card-link title=Documentation }
[:octicons-code-16:](https://github.com/Kicksecure){ .card-link title="Source Code" }
[:octicons-heart-16:](https://www.kicksecure.com/wiki/Donate){ .card-link title=Contribute }
[:octicons-heart-16:](https://kicksecure.com/wiki/Donate){ .card-link title=Contribute }
</details>

28
docs/device-integrity.md
View File

@ -26,7 +26,7 @@ This means an attacker would have to regularly re-infect your device to retain a
If any of the following tools indicate a potential compromise by spyware such as Pegasus, Predator, or KingsPawn, we advise that you contact:
- If you are a human rights defender, journalist, or from a civil society organization: [Amnesty International's Security Lab](https://securitylab.amnesty.org/contact-us/)
- If you are a human rights defender, journalist, or from a civil society organization: [Amnesty International's Security Lab](https://securitylab.amnesty.org/contact-us)
- If a business or government device is compromised: Contact the appropriate security liason at your enterprise, department, or agency
- Local law enforcement
@ -54,7 +54,7 @@ Public indicators of compromise are insufficient to determine that a device is "
Reliable and comprehensive digital forensic support and triage requires access to non-public indicators, research and threat intelligence.
Such support is available to civil society through [Amnesty International's Security Lab](https://www.amnesty.org/en/tech/) or [Access Nows Digital Security Helpline](https://www.accessnow.org/help/).
Such support is available to civil society through [Amnesty International's Security Lab](https://amnesty.org/en/tech) or [Access Nows Digital Security Helpline](https://accessnow.org/help).
</div>
@ -66,16 +66,16 @@ These tools can trigger false-positives. If any of these tools finds indicators
![MVT logo](assets/img/device-integrity/mvt.webp){ align=right }
**Mobile Verification Toolkit** (**MVT**) is a collection of utilities which simplifies and automates the process of scanning mobile devices for potential traces of targeting or infection by known spyware campaigns. MVT was developed by Amnesty International and released in 2021 in the context of the [Pegasus Project](https://forbiddenstories.org/about-the-pegasus-project/).
**Mobile Verification Toolkit** (**MVT**) is a collection of utilities which simplifies and automates the process of scanning mobile devices for potential traces of targeting or infection by known spyware campaigns. MVT was developed by Amnesty International and released in 2021 in the context of the [Pegasus Project](https://forbiddenstories.org/about-the-pegasus-project).
[:octicons-home-16: Homepage](https://mvt.re/){ .md-button .md-button--primary }
[:octicons-home-16: Homepage](https://mvt.re){ .md-button .md-button--primary }
[:octicons-code-16:](https://github.com/mvt-project/mvt){ .card-link title="Source Code" }
<details class="downloads" markdown>
<summary>Downloads</summary>
- [:simple-apple: macOS](https://docs.mvt.re/en/latest/install/)
- [:simple-linux: Linux](https://docs.mvt.re/en/latest/install/)
- [:simple-apple: macOS](https://docs.mvt.re/en/latest/install)
- [:simple-linux: Linux](https://docs.mvt.re/en/latest/install)
</details>
@ -109,7 +109,7 @@ MVT allows you to perform deeper scans/analysis if your device is jailbroken. Un
**iMazing** provides a free spyware analyzer tool for iOS devices which acts as a GUI-wrapper for [MVT](#mobile-verification-toolkit). This can be much easier to run compared to MVT itself, which is a command-line tool designed for technologists and forensic investigators.
[:octicons-home-16: Homepage](https://imazing.com/){ .md-button .md-button--primary }
[:octicons-home-16: Homepage](https://imazing.com){ .md-button .md-button--primary }
[:octicons-eye-16:](https://imazing.com/privacy-policy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://imazing.com/spyware-analyzer){ .card-link title=Documentation}
@ -166,7 +166,7 @@ Auditor is not a scanning/analysis tool like some other tools on this page, rath
Auditor performs attestation and intrusion detection with **two** devices, an *auditee* (the device being verified) and an *auditor* (the device performing the verification). The auditor can be any Android 10+ device (or a remote web service operated by [GrapheneOS](android.md#grapheneos)), while the auditee must be a specifically [supported device](https://attestation.app/about#device-support). Auditor works by:
- Using a [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) model between an *auditor* and *auditee*, the pair establish a private key in the [hardware-backed keystore](https://source.android.com/security/keystore/) of the *Auditor*.
- Using a [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) model between an *auditor* and *auditee*, the pair establish a private key in the [hardware-backed keystore](https://source.android.com/security/keystore) of the *Auditor*.
- The *auditor* can either be another instance of the Auditor app or the [Remote Attestation Service](https://attestation.app).
- The *auditor* records the current state and configuration of the *auditee*.
- Should tampering with the operating system of the *auditee* happen after the pairing is complete, the auditor will be aware of the change in the device state and configurations.
@ -206,13 +206,13 @@ Using these apps is insufficient to determine that a device is "clean", and not
<details class="downloads" markdown>
<summary>Downloads</summary>
- [:simple-android: F-Droid](https://f-droid.org/packages/us.spotco.malwarescanner/)
- [:simple-android: F-Droid](https://f-droid.org/packages/us.spotco.malwarescanner)
</details>
</div>
Hypatia is particularly good at detecting common stalkerware: If you suspect you are a victim of stalkerware, you should [visit this page](https://stopstalkerware.org/information-for-survivors/) for advice.
Hypatia is particularly good at detecting common stalkerware: If you suspect you are a victim of stalkerware, you should [visit this page](https://stopstalkerware.org/information-for-survivors) for advice.
### iVerify (iOS)
@ -222,14 +222,14 @@ Hypatia is particularly good at detecting common stalkerware: If you suspect you
**iVerify** is an iOS app which automatically scans your device to check configuration settings, patch level, and other areas of security. It also checks your device for indicators of compromise by jailbreak tools or spyware such as Pegasus.
[:octicons-home-16: Homepage](https://www.iverify.io/consumer){ .md-button .md-button--primary }
[:octicons-eye-16:](https://www.iverify.io/privacy-policy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://www.iverify.io/frequently-asked-questions#iVerify-General){ .card-link title=Documentation}
[:octicons-home-16: Homepage](https://iverify.io/consumer){ .md-button .md-button--primary }
[:octicons-eye-16:](https://iverify.io/privacy-policy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://iverify.io/frequently-asked-questions#iVerify-General){ .card-link title=Documentation}
<details class="downloads" markdown>
<summary>Downloads</summary>
- [:simple-appstore: App Store](https://apps.apple.com/us/app/iverify/id1466120520)
- [:simple-appstore: App Store](https://apps.apple.com/app/id1466120520)
</details>

28
docs/dns.md
View File

@ -14,18 +14,18 @@ Encrypted DNS with third-party servers should only be used to get around basic [
| DNS Provider | Privacy Policy | Protocols | Logging | ECS | Filtering |
| ------------ | -------------- | --------- | ------- | --- | --------- |
| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Cleartext <br> DoH/3 <br> DoT <br> DoQ <br> DNSCrypt | Some[^1] | Yes | Based on personal configuration. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS) |
| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Cleartext <br> DoH/3 <br> DoT | Some[^2] | No | Based on personal configuration.|
| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setup) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver) | Cleartext <br> DoH/3 <br> DoT | Some[^2] | No | Based on personal configuration.|
| [**Control D**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Cleartext <br> DoH/3 <br> DoT <br> DoQ| Optional[^3] | No | Based on personal configuration. |
| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | DoH <br> DoT | No[^4] | No | Based on personal configuration. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) |
| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Cleartext <br> DoH/3 <br> DoT <br> DoQ | Optional[^5] | Optional | Based on personal configuration. |
| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Cleartext <br> DoH <br> DoT <br> DNSCrypt | Some[^6] | Optional | Based on personal configuration, Malware blocking by default. |
| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy) | DoH <br> DoT | No[^4] | No | Based on personal configuration. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) |
| [**NextDNS**](https://nextdns.io) | [:octicons-link-external-24:](https://nextdns.io/privacy) | Cleartext <br> DoH/3 <br> DoT <br> DoQ | Optional[^5] | Optional | Based on personal configuration. |
| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy) | Cleartext <br> DoH <br> DoT <br> DNSCrypt | Some[^6] | Optional | Based on personal configuration, Malware blocking by default. |
[^1]: AdGuard stores aggregated performance metrics of their DNS servers, namely the number of complete requests to a particular server, the number of blocked requests, and the speed of processing requests. They also keep and store the database of domains requested in within last 24 hours. "We need this information to identify and block new trackers and threats." "We also log how many times this or that tracker has been blocked. We need this information to remove outdated rules from our filters." [https://adguard.com/en/privacy/dns.html](https://adguard.com/en/privacy/dns.html)
[^2]: Cloudflare collects and stores only the limited DNS query data that is sent to the 1.1.1.1 resolver. The 1.1.1.1 resolver service does not log personal data, and the bulk of the limited non-personally identifiable query data is stored only for 25 hours. [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/)
[^2]: Cloudflare collects and stores only the limited DNS query data that is sent to the 1.1.1.1 resolver. The 1.1.1.1 resolver service does not log personal data, and the bulk of the limited non-personally identifiable query data is stored only for 25 hours. [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver)
[^3]: Control D only logs for Premium resolvers with custom DNS profiles. Free resolvers do not log data. [https://controld.com/privacy](https://controld.com/privacy)
[^4]: Mullvad's DNS service is available to both subscribers and non-subscribers of Mullvad VPN. Their privacy policy explicitly claims they do not log DNS requests in any way. [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/)
[^4]: Mullvad's DNS service is available to both subscribers and non-subscribers of Mullvad VPN. Their privacy policy explicitly claims they do not log DNS requests in any way. [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy)
[^5]: NextDNS can provide insights and logging features on an opt-out basis. You can choose retention times and log storage locations for any logs you choose to keep. If it's not specifically requested, no data is logged. [https://nextdns.io/privacy](https://nextdns.io/privacy)
[^6]: Quad9 collects some data for the purposes of threat monitoring and response. That data may then be remixed and shared, such as for the purpose of security research. Quad9 does not collect or record IP addresses or other data they deem personally identifiable. [https://www.quad9.net/privacy/policy/](https://www.quad9.net/privacy/policy/)
[^6]: Quad9 collects some data for the purposes of threat monitoring and response. That data may then be remixed and shared, such as for the purpose of security research. Quad9 does not collect or record IP addresses or other data they deem personally identifiable. [https://quad9.net/privacy/policy](https://quad9.net/privacy/policy)
### Criteria
@ -57,7 +57,7 @@ After installation of either a configuration profile or an app that uses the DNS
#### Signed Profiles
Apple does not provide a native interface for creating encrypted DNS profiles. [Secure DNS profile creator](https://dns.notjakob.com/tool.html) is an unofficial tool for creating your own encrypted DNS profiles, however they will not be signed. Signed profiles are preferred; signing validates a profile's origin and helps to ensure the integrity of the profiles. A green "Verified" label is given to signed configuration profiles. For more information on code signing, see [About Code Signing](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). **Signed profiles** are offered by [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), [NextDNS](https://apple.nextdns.io), and [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/).
Apple does not provide a native interface for creating encrypted DNS profiles. [Secure DNS profile creator](https://dns.notjakob.com/tool.html) is an unofficial tool for creating your own encrypted DNS profiles, however they will not be signed. Signed profiles are preferred; signing validates a profile's origin and helps to ensure the integrity of the profiles. A green "Verified" label is given to signed configuration profiles. For more information on code signing, see [About Code Signing](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). **Signed profiles** are offered by [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), [NextDNS](https://apple.nextdns.io), and [Quad9](https://quad9.net/news/blog/ios-mobile-provisioning-profiles).
<div class="admonition info" markdown>
<p class="admonition-title">Info</p>
@ -81,7 +81,7 @@ Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](ad
[:octicons-home-16: Homepage](https://rethinkdns.com){ .md-button .md-button--primary }
[:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://docs.rethinkdns.com/){ .card-link title=Documentation}
[:octicons-info-16:](https://docs.rethinkdns.com){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/celzero/rethink-app){ .card-link title="Source Code" }
<details class="downloads" markdown>
@ -132,7 +132,7 @@ A self-hosted DNS solution is useful for providing filtering on controlled platf
![AdGuard Home logo](assets/img/dns/adguard-home.svg){ align=right }
**AdGuard Home** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements.
**AdGuard Home** is an open-source [DNS-sinkhole](https://en.wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://cloudflare.com/learning/access-management/what-is-dns-filtering) to block unwanted web content, such as advertisements.
AdGuard Home features a polished web interface to view insights and manage blocked content.
@ -151,13 +151,13 @@ AdGuard Home features a polished web interface to view insights and manage block
![Pi-hole logo](assets/img/dns/pi-hole.svg){ align=right }
**Pi-hole** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements.
**Pi-hole** is an open-source [DNS-sinkhole](https://en.wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://cloudflare.com/learning/access-management/what-is-dns-filtering) to block unwanted web content, such as advertisements.
Pi-hole is designed to be hosted on a Raspberry Pi, but it is not limited to such hardware. The software features a friendly web interface to view insights and manage blocked content.
[:octicons-home-16: Homepage](https://pi-hole.net/){ .md-button .md-button--primary }
[:octicons-eye-16:](https://pi-hole.net/privacy/){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://docs.pi-hole.net/){ .card-link title=Documentation}
[:octicons-home-16: Homepage](https://pi-hole.net){ .md-button .md-button--primary }
[:octicons-eye-16:](https://pi-hole.net/privacy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://docs.pi-hole.net){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="Source Code" }
[:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title=Contribute }

38
docs/email-clients.md
View File

@ -27,17 +27,17 @@ OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Fo
**Thunderbird** is a free, open-source, cross-platform email, newsgroup, news feed, and chat (XMPP, IRC, Matrix) client developed by the Thunderbird community, and previously by the Mozilla Foundation.
[:octicons-home-16: Homepage](https://www.thunderbird.net){ .md-button .md-button--primary }
[:octicons-eye-16:](https://www.mozilla.org/privacy/thunderbird){ .card-link title="Privacy Policy" }
[:octicons-home-16: Homepage](https://thunderbird.net){ .md-button .md-button--primary }
[:octicons-eye-16:](https://mozilla.org/privacy/thunderbird){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://support.mozilla.org/products/thunderbird){ .card-link title=Documentation}
[:octicons-code-16:](https://hg.mozilla.org/comm-central){ .card-link title="Source Code" }
<details class="downloads" markdown>
<summary>Downloads</summary>
- [:simple-windows11: Windows](https://www.thunderbird.net)
- [:simple-apple: macOS](https://www.thunderbird.net)
- [:simple-linux: Linux](https://www.thunderbird.net)
- [:simple-windows11: Windows](https://thunderbird.net)
- [:simple-apple: macOS](https://thunderbird.net)
- [:simple-linux: Linux](https://thunderbird.net)
- [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.Thunderbird)
</details>
@ -74,7 +74,7 @@ These options can be found in :material-menu: → **Settings** → **Privacy & S
**Apple Mail** is included in macOS and can be extended to have OpenPGP support with [GPG Suite](encryption.md#gpg-suite), which adds the ability to send PGP-encrypted email.
[:octicons-home-16: Homepage](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary }
[:octicons-eye-16:](https://www.apple.com/legal/privacy/en-ww/){ .card-link title="Privacy Policy" }
[:octicons-eye-16:](https://apple.com/legal/privacy/en-ww){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://support.apple.com/mail){ .card-link title=Documentation}
</details>
@ -93,7 +93,7 @@ Apple Mail has the ability to load remote content in the background or block it
[:octicons-home-16: Homepage](https://canarymail.io){ .md-button .md-button--primary }
[:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://canarymail.zendesk.com/){ .card-link title=Documentation}
[:octicons-info-16:](https://canarymail.zendesk.com){ .card-link title=Documentation}
<details class="downloads" markdown>
<summary>Downloads</summary>
@ -127,7 +127,7 @@ Canary Mail is closed-source. We recommend it due to the few choices there are f
[:octicons-eye-16:](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://github.com/M66B/FairEmail/blob/master/FAQ.md){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/M66B/FairEmail){ .card-link title="Source Code" }
[:octicons-heart-16:](https://email.faircode.eu/donate/){ .card-link title=Contribute }
[:octicons-heart-16:](https://email.faircode.eu/donate){ .card-link title=Contribute }
<details class="downloads" markdown>
<summary>Downloads</summary>
@ -145,13 +145,13 @@ Canary Mail is closed-source. We recommend it due to the few choices there are f
![Evolution logo](assets/img/email-clients/evolution.svg){ align=right }
**Evolution** is a personal information management application that provides integrated mail, calendaring and address book functionality. Evolution has extensive [documentation](https://help.gnome.org/users/evolution/stable/) to help you get started.
**Evolution** is a personal information management application that provides integrated mail, calendaring and address book functionality. Evolution has extensive [documentation](https://help.gnome.org/users/evolution/stable) to help you get started.
[:octicons-home-16: Homepage](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary }
[:octicons-eye-16:](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://help.gnome.org/users/evolution/stable/){ .card-link title=Documentation}
[:octicons-code-16:](https://gitlab.gnome.org/GNOME/evolution/){ .card-link title="Source Code" }
[:octicons-heart-16:](https://www.gnome.org/donate/){ .card-link title=Contribute }
[:octicons-info-16:](https://help.gnome.org/users/evolution/stable){ .card-link title=Documentation}
[:octicons-code-16:](https://gitlab.gnome.org/GNOME/evolution){ .card-link title="Source Code" }
[:octicons-heart-16:](https://gnome.org/donate){ .card-link title=Contribute }
<details class="downloads" markdown>
<summary>Downloads</summary>
@ -174,7 +174,7 @@ In the future, K-9 Mail will be the [officially branded](https://k9mail.app/2022
[:octicons-home-16: Homepage](https://k9mail.app){ .md-button .md-button--primary }
[:octicons-eye-16:](https://k9mail.app/privacy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://docs.k9mail.app/){ .card-link title=Documentation}
[:octicons-info-16:](https://docs.k9mail.app){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/thundernest/k-9){ .card-link title="Source Code" }
[:octicons-heart-16:](https://k9mail.app/contribute){ .card-link title=Contribute }
@ -205,9 +205,9 @@ When replying to someone on a mailing list the "reply" option may also include t
[:octicons-home-16: Homepage](https://kontact.kde.org){ .md-button .md-button--primary }
[:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=Documentation}
[:octicons-info-16:](https://kontact.kde.org/users){ .card-link title=Documentation}
[:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="Source Code" }
[:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute }
[:octicons-heart-16:](https://kde.org/community/donations){ .card-link title=Contribute }
<details class="downloads" markdown>
<summary>Downloads</summary>
@ -227,8 +227,8 @@ When replying to someone on a mailing list the "reply" option may also include t
**Mailvelope** is a browser extension that enables the exchange of encrypted emails following the OpenPGP encryption standard.
[:octicons-home-16: Homepage](https://www.mailvelope.com){ .md-button .md-button--primary }
[:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Privacy Policy" }
[:octicons-home-16: Homepage](https://mailvelope.com){ .md-button .md-button--primary }
[:octicons-eye-16:](https://mailvelope.com/privacy-policy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Source Code" }
@ -254,9 +254,9 @@ When replying to someone on a mailing list the "reply" option may also include t
NeoMutt is a text-based client that has a steep learning curve. It is however, very customizable.
[:octicons-home-16: Homepage](https://neomutt.org){ .md-button .md-button--primary }
[:octicons-info-16:](https://neomutt.org/guide/){ .card-link title=Documentation}
[:octicons-info-16:](https://neomutt.org/guide){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="Source Code" }
[:octicons-heart-16:](https://www.paypal.com/paypalme/russon/){ .card-link title=Contribute }
[:octicons-heart-16:](https://paypal.com/paypalme/russon){ .card-link title=Contribute }
<details class="downloads" markdown>
<summary>Downloads</summary>

60
docs/email.md
View File

@ -54,7 +54,7 @@ OpenPGP also does not support Forward secrecy, which means if either your or the
<summary>Downloads</summary>
- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android)
- [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905)
- [:simple-appstore: App Store](https://apps.apple.com/app/id979659905)
- [:simple-github: GitHub](https://github.com/ProtonMail/proton-mail-android/releases)
- [:simple-windows11: Windows](https://proton.me/mail/bridge#download)
- [:simple-apple: macOS](https://proton.me/mail/bridge#download)
@ -73,7 +73,7 @@ Proton Mail has internal crash reports that they **do not** share with third par
#### :material-check:{ .pg-green } Custom Domains and Aliases
Paid Proton Mail subscribers can use their own domain with the service or a [catch-all](https://proton.me/support/catch-all) address. Proton Mail also supports [subaddressing](https://proton.me/support/creating-aliases), which is useful for people who don't want to purchase a domain.
Paid Proton Mail subscribers can use their own domain with the service or a [catch-all](https://proton.me/support/catch-all) address. Proton Mail also supports [sub-addressing](https://proton.me/support/creating-aliases), which is useful for people who don't want to purchase a domain.
#### :material-check:{ .pg-green } Private Payment Methods
@ -128,7 +128,7 @@ Proton Mail doesn't offer a digital legacy feature.
#### :material-check:{ .pg-green } Custom Domains and Aliases
Mailbox.org lets you use your own domain, and they support [catch-all](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain) addresses. Mailbox.org also supports [subaddressing](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), which is useful if you don't want to purchase a domain.
Mailbox.org lets you use your own domain, and they support [catch-all](https://kb.mailbox.org/en/private/custom-domains/how-to-set-up-a-catch-all-alias-with-a-custom-domain-name) addresses. Mailbox.org also supports [sub-addressing](https://kb.mailbox.org/en/private/account-article/what-is-an-alias-and-how-do-i-use-it), which is useful if you don't want to purchase a domain.
#### :material-check:{ .pg-green } Private Payment Methods
@ -136,17 +136,17 @@ Mailbox.org doesn't accept any cryptocurrencies as a result of their payment pro
#### :material-check:{ .pg-green } Account Security
Mailbox.org supports [two factor authentication](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) for their webmail only. You can use either TOTP or a [YubiKey](https://en.wikipedia.org/wiki/YubiKey) via the [YubiCloud](https://www.yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported.
Mailbox.org supports [two factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. You can use either TOTP or a [YubiKey](https://en.wikipedia.org/wiki/YubiKey) via the [YubiCloud](https://yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported.
#### :material-information-outline:{ .pg-blue } Data Security
Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox). New messages that you receive will then be immediately encrypted with your public key.
Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/en/private/e-mail-article/your-encrypted-mailbox). New messages that you receive will then be immediately encrypted with your public key.
However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information.
However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information.
#### :material-check:{ .pg-green } Email Encryption
Mailbox.org has [integrated encryption](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP) on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox.
Mailbox.org has [integrated encryption](https://kb.mailbox.org/en/private/e-mail-article/send-encrypted-e-mails-with-guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/en/private/e-mail-article/my-recipient-does-not-use-pgp) on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox.
Mailbox.org also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily, for cross-provider E2EE. This only applies to email addresses ending in one of Mailbox.org's own domains, like @mailbox.org. If you use a custom domain, you must [configure WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) separately.
@ -156,9 +156,9 @@ Your account will be set to a restricted user account when your contract ends, a
#### :material-information-outline:{ .pg-blue } Additional Functionality
You can access your Mailbox.org account via IMAP/SMTP using their [.onion service](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org). However, their webmail interface cannot be accessed via their .onion service and you may experience TLS certificate errors.
You can access your Mailbox.org account via IMAP/SMTP using their [.onion service](https://kb.mailbox.org/en/private/faq-article/the-tor-exit-node-of-mailbox-org). However, their webmail interface cannot be accessed via their .onion service and you may experience TLS certificate errors.
All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3.
All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/en/private/drive-article/encrypt-files-on-your-drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/en/private/e-mail-article/ensuring-e-mails-are-sent-securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3.
Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address.
@ -184,18 +184,18 @@ These providers store your emails with zero-knowledge encryption, making them gr
[:octicons-eye-16:](https://tuta.com/privacy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://tuta.com/faq){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" }
[:octicons-heart-16:](https://tuta.com/community/){ .card-link title=Contribute }
[:octicons-heart-16:](https://tuta.com/community){ .card-link title=Contribute }
<details class="downloads" markdown>
<summary>Downloads</summary>
- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota)
- [:simple-appstore: App Store](https://apps.apple.com/app/tutanota/id922429609)
- [:simple-appstore: App Store](https://apps.apple.com/app/id922429609)
- [:simple-github: GitHub](https://github.com/tutao/tutanota/releases)
- [:simple-windows11: Windows](https://tuta.com/#download)
- [:simple-apple: macOS](https://tuta.com/#download)
- [:simple-linux: Linux](https://tuta.com/#download)
- [:octicons-browser-16: Web](https://app.tuta.com/)
- [:octicons-browser-16: Web](https://app.tuta.com)
</details>
@ -205,7 +205,7 @@ Tuta doesn't support the [IMAP protocol](https://tuta.com/faq/#imap) or the use
#### :material-check:{ .pg-green } Custom Domains and Aliases
Paid Tuta accounts can use either 15 or 30 aliases depending on their plan and unlimited aliases on [custom domains](https://tuta.com/faq#custom-domain). Tuta doesn't allow for [subaddressing (plus addresses)](https://tuta.com/faq#plus), but you can use a [catch-all](https://tuta.com/howto#settings-global) with a custom domain.
Paid Tuta accounts can use either 15 or 30 aliases depending on their plan and unlimited aliases on [custom domains](https://tuta.com/faq#custom-domain). Tuta doesn't allow for [sub-addressing (plus addresses)](https://tuta.com/faq#plus), but you can use a [catch-all](https://tuta.com/howto#settings-global) with a custom domain.
#### :material-information-outline:{ .pg-blue } Private Payment Methods
@ -231,7 +231,7 @@ Tuta will [delete inactive free accounts](https://tuta.com/faq#inactive-accounts
Tuta offers the business version of [Tuta to non-profit organizations](https://tuta.com/blog/posts/secure-email-for-non-profit) for free or with a heavy discount.
Tuta also has a business feature called [Secure Connect](https://tuta.com/secure-connect/). This ensures customer contact to the business uses E2EE. The feature costs €240/y.
Tuta also has a business feature called [Secure Connect](https://tuta.com/secure-connect). This ensures customer contact to the business uses E2EE. The feature costs €240/y.
Tuta doesn't offer a digital legacy feature.
@ -283,14 +283,14 @@ Using an aliasing service requires trusting both your email provider and your al
- [:simple-android: Android](https://addy.io/faq/#is-there-an-android-app)
- [:material-apple-ios: iOS](https://addy.io/faq/#is-there-an-ios-app)
- [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/addy_io/)
- [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/addy_io)
- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/addyio-anonymous-email-fo/iadbdpnoknmbdeolbapdackdcogdmjpe)
</details>
</div>
The number of shared aliases (which end in a shared domain like @addy.io) that you can create is limited to 10 on addy.io's free plan, 50 on their $1/month plan and unlimited on the $4/month plan (billed $3 for a year). You can create unlimited standard aliases (which end in a domain like @[username].addy.io or a custom domain on paid plans), however, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit/) addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf).
The number of shared aliases (which end in a shared domain like @addy.io) that you can create is limited to 10 on addy.io's free plan, 50 on their $1/month plan and unlimited on the $4/month plan (billed $3 for a year). You can create unlimited standard aliases (which end in a domain like @[username].addy.io or a custom domain on paid plans), however, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf).
Notable free features:
@ -309,8 +309,8 @@ Notable free features:
**SimpleLogin** is a free service which provides email aliases on a variety of shared domain names, and optionally provides paid features like unlimited aliases and custom domains.
[:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary }
[:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=Documentation}
[:octicons-eye-16:](https://simplelogin.io/privacy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" }
<details class="downloads" markdown>
@ -319,16 +319,16 @@ Notable free features:
- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android)
- [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858)
- [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases)
- [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/simplelogin/)
- [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/simplelogin)
- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn)
- [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff)
- [:simple-safari: Safari](https://apps.apple.com/app/id1494051017)
- [:simple-safari: Safari](https://apps.apple.com/app/id6475835429)
</details>
</div>
SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit/) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf).
SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf).
You can link your SimpleLogin account in the settings with your Proton account. If you have the Proton Unlimited, Business, or Visionary Plan, you will have SimpleLogin Premium for free.
@ -353,9 +353,9 @@ Advanced system administrators may consider setting up their own email server. M
**Mailcow** is a more advanced mail server perfect for those with a bit more Linux experience. It has everything you need in a Docker container: A mail server with DKIM support, antivirus and spam monitoring, webmail and ActiveSync with SOGo, and web-based administration with 2FA support.
[:octicons-home-16: Homepage](https://mailcow.email){ .md-button .md-button--primary }
[:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=Documentation}
[:octicons-info-16:](https://docs.mailcow.email){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="Source Code" }
[:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=Contribute }
[:octicons-heart-16:](https://servercow.de/mailcow?lang=en#sal){ .card-link title=Contribute }
</div>
@ -373,8 +373,8 @@ Advanced system administrators may consider setting up their own email server. M
For a more manual approach we've picked out these two articles:
- [Setting up a mail server with OpenSMTPD, Dovecot and Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019)
- [How To Run Your Own Mail Server](https://www.c0ffee.net/blog/mail-server-guide/) (August 2017)
- [Setting up a mail server with OpenSMTPD, Dovecot and Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd) (2019)
- [How To Run Your Own Mail Server](https://c0ffee.net/blog/mail-server-guide) (August 2017)
## Criteria
@ -387,7 +387,7 @@ We regard these features as important in order to provide a safe and optimal ser
**Minimum to Qualify:**
- Encrypts email account data at rest with zero-access encryption.
- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .eml with [RFC5322](https://datatracker.ietf.org/doc/rfc5322/) standard.
- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .eml with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard.
- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy.
- Operates on owned infrastructure, i.e. not built upon third-party email service providers.
@ -399,7 +399,7 @@ We regard these features as important in order to provide a safe and optimal ser
GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com`
- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP.
- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion).
- [Subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing) support.
- [Sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing) support.
- Catch-all or alias functionality for those who own their own domains.
- Use of standard email access protocols such as IMAP, SMTP or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider.
@ -427,13 +427,13 @@ Email servers deal with a lot of very sensitive data. We expect that providers w
- Protection of webmail with 2FA, such as TOTP.
- Zero access encryption, builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server.
- [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support.
- No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://www.hardenize.com/), [testssl.sh](https://testssl.sh/), or [Qualys SSL Labs](https://www.ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)).
- No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://hardenize.com), [testssl.sh](https://testssl.sh), or [Qualys SSL Labs](https://ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)).
- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption.
- A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy.
- Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records.
- Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records.
- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`.
- A server suite preference of TLS 1.2 or later and a plan for [RFC8996](https://datatracker.ietf.org/doc/rfc8996/).
- A server suite preference of TLS 1.2 or later and a plan for [RFC8996](https://datatracker.ietf.org/doc/rfc8996).
- [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used.
- Website security standards such as:
- [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security)
@ -448,7 +448,7 @@ Email servers deal with a lot of very sensitive data. We expect that providers w
- Bug-bounty programs and/or a coordinated vulnerability-disclosure process.
- Website security standards such as:
- [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy)
- [RFC9163 Expect-CT](https://datatracker.ietf.org/doc/rfc9163/)
- [RFC9163 Expect-CT](https://datatracker.ietf.org/doc/rfc9163)
### Trust

60
docs/encryption.md
View File

@ -21,15 +21,15 @@ The options listed here are multi-platform and great for creating encrypted back
[:octicons-home-16: Homepage](https://cryptomator.org){ .md-button .md-button--primary }
[:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://docs.cryptomator.org/){ .card-link title=Documentation}
[:octicons-info-16:](https://docs.cryptomator.org){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/cryptomator){ .card-link title="Source Code" }
[:octicons-heart-16:](https://cryptomator.org/donate/){ .card-link title=Contribute }
[:octicons-heart-16:](https://cryptomator.org/donate){ .card-link title=Contribute }
<details class="downloads" markdown>
<summary>Downloads</summary>
- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator)
- [:simple-appstore: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163)
- [:simple-appstore: App Store](https://apps.apple.com/app/id1560822163)
- [:simple-android: Android](https://cryptomator.org/android)
- [:simple-windows11: Windows](https://cryptomator.org/downloads)
- [:simple-apple: macOS](https://cryptomator.org/downloads)
@ -44,7 +44,7 @@ Cryptomator uses AES-256 encryption to encrypt both files and filenames. Cryptom
Some Cryptomator cryptographic libraries have been [audited](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44) by Cure53. The scope of the audited libraries includes: [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) and [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). The audit did not extend to [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), which is a library used by Cryptomator for iOS.
Cryptomator's documentation details its intended [security target](https://docs.cryptomator.org/en/latest/security/security-target/), [security architecture](https://docs.cryptomator.org/en/latest/security/architecture/), and [best practices](https://docs.cryptomator.org/en/latest/security/best-practices/) for use in further detail.
Cryptomator's documentation details its intended [security target](https://docs.cryptomator.org/en/latest/security/security-target), [security architecture](https://docs.cryptomator.org/en/latest/security/architecture), and [best practices](https://docs.cryptomator.org/en/latest/security/best-practices) for use in further detail.
### Picocrypt (File)
@ -80,15 +80,15 @@ Cryptomator's documentation details its intended [security target](https://docs.
[:octicons-home-16: Homepage](https://veracrypt.fr){ .md-button .md-button--primary }
[:octicons-info-16:](https://veracrypt.fr/en/Documentation.html){ .card-link title=Documentation}
[:octicons-code-16:](https://veracrypt.fr/code/){ .card-link title="Source Code" }
[:octicons-code-16:](https://veracrypt.fr/code){ .card-link title="Source Code" }
[:octicons-heart-16:](https://veracrypt.fr/en/Donation.html){ .card-link title=Contribute }
<details class="downloads" markdown>
<summary>Downloads</summary>
- [:simple-windows11: Windows](https://www.veracrypt.fr/en/Downloads.html)
- [:simple-apple: macOS](https://www.veracrypt.fr/en/Downloads.html)
- [:simple-linux: Linux](https://www.veracrypt.fr/en/Downloads.html)
- [:simple-windows11: Windows](https://veracrypt.fr/en/Downloads.html)
- [:simple-apple: macOS](https://veracrypt.fr/en/Downloads.html)
- [:simple-linux: Linux](https://veracrypt.fr/en/Downloads.html)
</details>
@ -110,15 +110,15 @@ For encrypting the drive your operating system boots from, we generally recommen
![BitLocker logo](assets/img/encryption-software/bitlocker.png){ align=right }
**BitLocker** is the full volume encryption solution bundled with Microsoft Windows. The main reason we recommend it for encrypting your boot drive is because of its [use of TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). ElcomSoft, a forensics company, has written about this feature in [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/).
**BitLocker** is the full volume encryption solution bundled with Microsoft Windows. The main reason we recommend it for encrypting your boot drive is because of its [use of TPM](https://learn.microsoft.com/windows/security/information-protection/tpm/how-windows-uses-the-tpm). ElcomSoft, a forensics company, has written about this feature in [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection).
[:octicons-info-16:](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=Documentation}
[:octicons-info-16:](https://learn.microsoft.com/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=Documentation}
</details>
</div>
BitLocker is [only supported](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) on Pro, Enterprise and Education editions of Windows. It can be enabled on Home editions provided that they meet the prerequisites.
BitLocker is [only supported](https://support.microsoft.com/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) on Pro, Enterprise and Education editions of Windows. It can be enabled on Home editions provided that they meet the prerequisites.
<details class="example" markdown>
<summary>Enabling BitLocker on Windows Home</summary>
@ -135,7 +135,7 @@ To enable BitLocker on "Home" editions of Windows, you must have partitions form
powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm
```
3. Access [Advanced Startup Options](https://support.microsoft.com/en-us/windows/advanced-startup-options-including-safe-mode-b90e7808-80b5-a291-d4b8-1a1af602b617). You need to reboot while pressing the F8 key before Windows starts and go into the *command prompt* in **Troubleshoot****Advanced Options****Command Prompt**.
3. Access [Advanced Startup Options](https://support.microsoft.com/windows/advanced-startup-options-including-safe-mode-b90e7808-80b5-a291-d4b8-1a1af602b617). You need to reboot while pressing the F8 key before Windows starts and go into the *command prompt* in **Troubleshoot****Advanced Options****Command Prompt**.
4. Login with your admin account and type this in the command prompt to start encryption:
```powershell
manage-bde -on c: -used
@ -184,7 +184,7 @@ We recommend storing a local recovery key in a secure place as opposed to using
[:octicons-home-16: Homepage](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/README.md){ .md-button .md-button--primary }
[:octicons-info-16:](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home){ .card-link title=Documentation}
[:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup/){ .card-link title="Source Code" }
[:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup){ .card-link title="Source Code" }
</details>
@ -230,20 +230,20 @@ Tools with command-line interfaces are useful for integrating [shell scripts](ht
![Kryptor logo](assets/img/encryption-software/kryptor.png){ align=right }
**Kryptor** is a free and open-source file encryption and signing tool that makes use of modern and secure cryptographic algorithms. It aims to be a better version of [age](https://github.com/FiloSottile/age) and [Minisign](https://jedisct1.github.io/minisign/) to provide a simple, easier alternative to GPG.
**Kryptor** is a free and open-source file encryption and signing tool that makes use of modern and secure cryptographic algorithms. It aims to be a better version of [age](https://github.com/FiloSottile/age) and [Minisign](https://jedisct1.github.io/minisign) to provide a simple, easier alternative to GPG.
[:octicons-home-16: Homepage](https://www.kryptor.co.uk){ .md-button .md-button--primary }
[:octicons-eye-16:](https://www.kryptor.co.uk/features#privacy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://www.kryptor.co.uk/tutorial){ .card-link title=Documentation}
[:octicons-home-16: Homepage](https://kryptor.co.uk){ .md-button .md-button--primary }
[:octicons-eye-16:](https://kryptor.co.uk/features#privacy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://kryptor.co.uk/tutorial){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/samuel-lucas6/Kryptor){ .card-link title="Source Code" }
[:octicons-heart-16:](https://www.kryptor.co.uk/#donate){ .card-link title=Contribute }
[:octicons-heart-16:](https://kryptor.co.uk/#donate){ .card-link title=Contribute }
<details class="downloads" markdown>
<summary>Downloads</summary>
- [:simple-windows11: Windows](https://www.kryptor.co.uk)
- [:simple-apple: macOS](https://www.kryptor.co.uk)
- [:simple-linux: Linux](https://www.kryptor.co.uk)
- [:simple-windows11: Windows](https://kryptor.co.uk)
- [:simple-apple: macOS](https://kryptor.co.uk)
- [:simple-linux: Linux](https://kryptor.co.uk)
</details>
@ -257,10 +257,10 @@ Tools with command-line interfaces are useful for integrating [shell scripts](ht
**Tomb** is a command-line shell wrapper for LUKS. It supports steganography via [third-party tools](https://github.com/dyne/Tomb#how-does-it-work).
[:octicons-home-16: Homepage](https://www.dyne.org/software/tomb){ .md-button .md-button--primary }
[:octicons-home-16: Homepage](https://dyne.org/software/tomb){ .md-button .md-button--primary }
[:octicons-info-16:](https://github.com/dyne/Tomb/wiki){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/dyne/Tomb){ .card-link title="Source Code" }
[:octicons-heart-16:](https://www.dyne.org/donate){ .card-link title=Contribute }
[:octicons-heart-16:](https://dyne.org/donate){ .card-link title=Contribute }
</details>
@ -270,12 +270,12 @@ Tools with command-line interfaces are useful for integrating [shell scripts](ht
OpenPGP is sometimes needed for specific tasks such as digitally signing and encrypting email. PGP has many features and is [complex](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) as it has been around a long time. For tasks such as signing or encrypting files, we suggest the above options.
When encrypting with PGP, you have the option to configure different options in your `gpg.conf` file. We recommend staying with the standard options specified in the [GnuPG user FAQ](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf).
When encrypting with PGP, you have the option to configure different options in your `gpg.conf` file. We recommend staying with the standard options specified in the [GnuPG user FAQ](https://gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf).
<div class="admonition tip" markdown>
<p class="admonition-title">Use future defaults when generating a key</p>
When [generating keys](https://www.gnupg.org/gph/en/manual/c14.html) we suggest using the `future-default` command as this will instruct GnuPG use modern cryptography such as [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) and [Ed25519](https://ed25519.cr.yp.to/):
When [generating keys](https://gnupg.org/gph/en/manual/c14.html) we suggest using the `future-default` command as this will instruct GnuPG use modern cryptography such as [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) and [Ed25519](https://ed25519.cr.yp.to):
```bash
gpg --quick-gen-key alice@example.com future-default
@ -289,7 +289,7 @@ gpg --quick-gen-key alice@example.com future-default
![GNU Privacy Guard logo](assets/img/encryption-software/gnupg.svg){ align=right }
**GnuPG** is a GPL-licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with [RFC 4880](https://tools.ietf.org/html/rfc4880), which is the current IETF specification of OpenPGP. The GnuPG project has been working on an [updated draft](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) in an attempt to modernize OpenPGP. GnuPG is a part of the Free Software Foundation's GNU software project and has received major [funding](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) from the German government.
**GnuPG** is a GPL-licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with [RFC 4880](https://tools.ietf.org/html/rfc4880), which is the current IETF specification of OpenPGP. The GnuPG project has been working on an [updated draft](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh) in an attempt to modernize OpenPGP. GnuPG is a part of the Free Software Foundation's GNU software project and has received major [funding](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) from the German government.
[:octicons-home-16: Homepage](https://gnupg.org){ .md-button .md-button--primary }
[:octicons-eye-16:](https://gnupg.org/privacy-policy.html){ .card-link title="Privacy Policy" }
@ -368,11 +368,11 @@ We recommend taking a look at their [First steps](https://gpgtools.tenderapp.com
![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ align=right }
**OpenKeychain** is an Android implementation of GnuPG. It's commonly required by mail clients such as [K-9 Mail](email-clients.md#k-9-mail) and [FairEmail](email-clients.md#fairemail) and other Android apps to provide encryption support. Cure53 completed a [security audit](https://www.openkeychain.org/openkeychain-3-6) of OpenKeychain 3.6 in October 2015. Technical details about the audit and OpenKeychain's solutions can be found [here](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015).
**OpenKeychain** is an Android implementation of GnuPG. It's commonly required by mail clients such as [K-9 Mail](email-clients.md#k-9-mail) and [FairEmail](email-clients.md#fairemail) and other Android apps to provide encryption support. Cure53 completed a [security audit](https://openkeychain.org/openkeychain-3-6) of OpenKeychain 3.6 in October 2015. Technical details about the audit and OpenKeychain's solutions can be found [here](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015).
[:octicons-home-16: Homepage](https://www.openkeychain.org){ .md-button .md-button--primary }
[:octicons-eye-16:](https://www.openkeychain.org/help/privacy-policy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://www.openkeychain.org/faq/){ .card-link title=Documentation}
[:octicons-home-16: Homepage](https://openkeychain.org){ .md-button .md-button--primary }
[:octicons-eye-16:](https://openkeychain.org/help/privacy-policy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://openkeychain.org/faq){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/open-keychain/open-keychain){ .card-link title="Source Code" }
<details class="downloads" markdown>

18
docs/file-sharing.md
View File

@ -14,7 +14,7 @@ Discover how to privately share your files between your devices, with your frien
![Send logo](assets/img/file-sharing-sync/send.svg){ align=right }
**Send** is a fork of Mozillas discontinued Firefox Send service which allows you to send files to others with a link. Files are encrypted on your device so that they cannot be read by the server, and they can be optionally password-protected as well. The maintainer of Send hosts a [public instance](https://send.vis.ee/). You can use other public instances, or you can host Send yourself.
**Send** is a fork of Mozillas discontinued Firefox Send service which allows you to send files to others with a link. Files are encrypted on your device so that they cannot be read by the server, and they can be optionally password-protected as well. The maintainer of Send hosts a [public instance](https://send.vis.ee). You can use other public instances, or you can host Send yourself.
[:octicons-home-16: Homepage](https://send.vis.ee){ .md-button .md-button--primary }
[:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="Public Instances"}
@ -82,7 +82,7 @@ We are working on establishing defined criteria for every section of our site, a
[:octicons-home-16: Homepage](https://freedombox.org){ .md-button .md-button--primary }
[:octicons-info-16:](https://wiki.debian.org/FreedomBox/Manual){ .card-link title=Documentation}
[:octicons-code-16:](https://salsa.debian.org/freedombox-team/freedombox){ .card-link title="Source Code" }
[:octicons-heart-16:](https://freedomboxfoundation.org/donate/){ .card-link title=Contribute }
[:octicons-heart-16:](https://freedomboxfoundation.org/donate){ .card-link title=Contribute }
</details>
@ -100,9 +100,9 @@ We are working on establishing defined criteria for every section of our site, a
[:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary }
[:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation}
[:octicons-info-16:](https://nextcloud.com/support){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" }
[:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute }
[:octicons-heart-16:](https://nextcloud.com/contribute){ .card-link title=Contribute }
<details class="downloads" markdown>
<summary>Downloads</summary>
@ -136,16 +136,16 @@ We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_e
[:octicons-home-16: Homepage](https://syncthing.net){ .md-button .md-button--primary }
[:octicons-info-16:](https://docs.syncthing.net){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/syncthing){ .card-link title="Source Code" }
[:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=Contribute }
[:octicons-heart-16:](https://syncthing.net/donations){ .card-link title=Contribute }
<details class="downloads" markdown>
<summary>Downloads</summary>
- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid)
- [:simple-windows11: Windows](https://syncthing.net/downloads/)
- [:simple-apple: macOS](https://syncthing.net/downloads/)
- [:simple-linux: Linux](https://syncthing.net/downloads/)
- [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/)
- [:simple-windows11: Windows](https://syncthing.net/downloads)
- [:simple-apple: macOS](https://syncthing.net/downloads)
- [:simple-linux: Linux](https://syncthing.net/downloads)
- [:simple-freebsd: FreeBSD](https://syncthing.net/downloads)
</details>

14
docs/financial-services.md
View File

@ -30,7 +30,7 @@ Many banks and credit card providers offer native virtual card functionality. If
[:octicons-home-16: Homepage](https://privacy.com){ .md-button .md-button--primary }
[:octicons-eye-16:](https://privacy.com/privacy-policy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://support.privacy.com/hc/en-us){ .card-link title=Documentation}
[:octicons-info-16:](https://support.privacy.com){ .card-link title=Documentation}
</details>
@ -47,9 +47,9 @@ Privacy.com gives information about the merchants you purchase from to your bank
**MySudo** provides up to 9 virtual cards depending on the plan you purchase. Their paid plans additionally include functionality which may be useful for making purchases privately, such as virtual phone numbers and email addresses, although we typically recommend other [email aliasing providers](email.md) for extensive email aliasing use.
[:octicons-home-16: Homepage](https://mysudo.com/){ .md-button .md-button--primary }
[:octicons-eye-16:](https://anonyome.com/privacy-policy/){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://support.mysudo.com/hc/en-us){ .card-link title=Documentation}
[:octicons-home-16: Homepage](https://mysudo.com){ .md-button .md-button--primary }
[:octicons-eye-16:](https://anonyome.com/privacy-policy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://support.mysudo.com){ .card-link title=Documentation}
</details>
@ -83,9 +83,9 @@ These services allow you to purchase gift cards for a variety of merchants onlin
**CoinCards** (available in the US and Canada) allows you to purchase gift cards for a large variety of merchants.
[:octicons-home-16: Homepage](https://coincards.com/){ .md-button .md-button--primary }
[:octicons-eye-16:](https://coincards.com/privacy-policy/){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://coincards.com/frequently-asked-questions/){ .card-link title=Documentation}
[:octicons-home-16: Homepage](https://coincards.com){ .md-button .md-button--primary }
[:octicons-eye-16:](https://coincards.com/privacy-policy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://coincards.com/frequently-asked-questions){ .card-link title=Documentation}
</details>

28
docs/frontends.md
View File

@ -19,7 +19,7 @@ When you are using an instance run by someone else, make sure to read the privac
![ProxiTok logo](assets/img/frontends/proxitok.svg){ align=right }
**ProxiTok** is an open-source frontend to the [TikTok](https://www.tiktok.com) website that is also self-hostable.
**ProxiTok** is an open-source frontend to the [TikTok](https://tiktok.com) website that is also self-hostable.
There are a number of public instances, with some instances having [Tor](tor.md) onion services support.
@ -53,7 +53,7 @@ By default, FreeTube blocks all YouTube advertisements. In addition, FreeTube op
[:octicons-home-16: Homepage](https://freetubeapp.io){ .md-button .md-button--primary }
[:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Documentation}
[:octicons-info-16:](https://docs.freetubeapp.io){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Source Code" }
[:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Contribute }
@ -72,7 +72,7 @@ By default, FreeTube blocks all YouTube advertisements. In addition, FreeTube op
<div class="admonition warning" markdown>
<p class="admonition-title">Warning</p>
When using FreeTube, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](tor.md) if your [threat model](basics/threat-modeling.md) requires hiding your IP address.
When using FreeTube, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io) or [SponsorBlock](https://sponsor.ajay.app) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](tor.md) if your [threat model](basics/threat-modeling.md) requires hiding your IP address.
</div>
@ -84,7 +84,7 @@ When using FreeTube, your IP address may still be known to YouTube, [Invidious](
**Yattee** is a free and open-source privacy oriented video player for iOS, tvOS and macOS for [YouTube](https://youtube.com). When using Yattee, your subscription list are saved locally on your device.
You will need to take a few [extra steps](https://gonzoknows.com/posts/Yattee/) before you can use Yattee to watch YouTube, due to App Store restrictions.
You will need to take a few [extra steps](https://gonzoknows.com/posts/Yattee) before you can use Yattee to watch YouTube, due to App Store restrictions.
[:octicons-home-16: Homepage](https://github.com/yattee/yattee){ .md-button .md-button--primary }
[:octicons-eye-16:](https://r.yattee.stream/docs/privacy.html){ .card-link title="Privacy Policy" }
@ -95,7 +95,7 @@ You will need to take a few [extra steps](https://gonzoknows.com/posts/Yattee/)
<details class="downloads" markdown>
<summary>Downloads</summary>
- [:simple-apple: App Store](https://apps.apple.com/us/app/yattee/id1595136629)
- [:simple-apple: App Store](https://apps.apple.com/app/id1595136629)
- [:simple-github: GitHub](https://github.com/yattee/yattee/releases)
</details>
@ -105,7 +105,7 @@ You will need to take a few [extra steps](https://gonzoknows.com/posts/Yattee/)
<div class="admonition warning" markdown>
<p class="admonition-title">Warning</p>
When using Yattee, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io), [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](tor.md) if your [threat model](basics/threat-modeling.md) requires hiding your IP address.
When using Yattee, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io), [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) or [SponsorBlock](https://sponsor.ajay.app) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](tor.md) if your [threat model](basics/threat-modeling.md) requires hiding your IP address.
</div>
@ -139,7 +139,7 @@ LibreTube allows you to store your subscription list and playlists locally on yo
<div class="admonition warning" markdown>
<p class="admonition-title">Warning</p>
When using LibreTube, your IP address will be visible to the [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) instance you choose and/or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](tor.md) if your [threat model](basics/threat-modeling.md) requires hiding your IP address.
When using LibreTube, your IP address will be visible to the [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) instance you choose and/or [SponsorBlock](https://sponsor.ajay.app) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](tor.md) if your [threat model](basics/threat-modeling.md) requires hiding your IP address.
</div>
@ -151,15 +151,15 @@ By default, LibreTube blocks all YouTube advertisements. Additionally, Libretube
![Newpipe logo](assets/img/frontends/newpipe.svg){ align=right }
**NewPipe** is a free and open-source Android application for [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com), and [PeerTube](https://joinpeertube.org/) (1).
**NewPipe** is a free and open-source Android application for [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com), and [PeerTube](https://joinpeertube.org) (1).
Your subscription list and playlists are saved locally on your Android device.
[:octicons-home-16: Homepage](https://newpipe.net){ .md-button .md-button--primary }
[:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://teamnewpipe.github.io/documentation/){ .card-link title=Documentation}
[:octicons-info-16:](https://teamnewpipe.github.io/documentation){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="Source Code" }
[:octicons-heart-16:](https://newpipe.net/donate/){ .card-link title=Contribute }
[:octicons-heart-16:](https://newpipe.net/donate){ .card-link title=Contribute }
<details class="downloads" markdown>
<summary>Downloads</summary>
@ -170,7 +170,7 @@ Your subscription list and playlists are saved locally on your Android device.
</div>
1. The default instance is [FramaTube](https://framatube.org/), however more can be added via **Settings****Content** → **PeerTube instances**
1. The default instance is [FramaTube](https://framatube.org), however more can be added via **Settings****Content** → **PeerTube instances**
<div class="admonition warning" markdown>
<p class="admonition-title">Warning</p>
@ -192,9 +192,9 @@ There are a number of public instances, with some instances having [Tor](tor.md)
[:octicons-home-16: Homepage](https://invidious.io){ .md-button .md-button--primary }
[:octicons-server-16:](https://instances.invidious.io){ .card-link title="Public Instances"}
[:octicons-info-16:](https://docs.invidious.io/){ .card-link title=Documentation}
[:octicons-info-16:](https://docs.invidious.io){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="Source Code" }
[:octicons-heart-16:](https://invidious.io/donate/){ .card-link title=Contribute }
[:octicons-heart-16:](https://invidious.io/donate){ .card-link title=Contribute }
</details>
@ -226,7 +226,7 @@ Piped requires JavaScript in order to function and there are a number of public
[:octicons-repo-16: Repository](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary }
[:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Public Instances"}
[:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=Documentation}
[:octicons-info-16:](https://piped-docs.kavin.rocks){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Source Code" }
[:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=Contribute }

6
docs/index.md
View File

@ -8,7 +8,7 @@ hide:
- toc
- feedback
schema:
-
-
"@context": https://schema.org
"@type": Organization
"@id": https://www.privacyguides.org/
@ -22,7 +22,7 @@ schema:
- https://opencollective.com/privacyguides
- https://www.youtube.com/@privacyguides
- https://mastodon.neat.computer/@privacyguides
-
-
"@context": https://schema.org
"@type": WebSite
name: Privacy Guides
@ -61,7 +61,7 @@ Trying to protect all your data from everyone all the time is impractical, expen
## We need you! Here's how to get involved:
[:simple-discourse:](https://discuss.privacyguides.net/){ title="Join our Forum" }
[:simple-discourse:](https://discuss.privacyguides.net){ title="Join our Forum" }
[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="Follow us on Mastodon" }
[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="Contribute to this website" }
[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="Help translate this website" }

14
docs/kb-archive.md
View File

@ -7,10 +7,10 @@ description: Some pages that used to be in our knowledge base can now be found o
Some pages that used to be in our knowledge base can now be found on our blog:
- [GrapheneOS vs. CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/)
- [Signal Configuration Hardening](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/)
- [Linux - System Hardening](https://blog.privacyguides.org/2022/04/22/linux-system-hardening/)
- [Linux - Application Sandboxing](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/)
- [Secure Data Erasure](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/)
- [Integrating Metadata Removal](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/)
- [iOS Configuration Guide](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/)
- [GrapheneOS vs. CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos)
- [Signal Configuration Hardening](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening)
- [Linux - System Hardening](https://blog.privacyguides.org/2022/04/22/linux-system-hardening)
- [Linux - Application Sandboxing](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing)
- [Secure Data Erasure](https://blog.privacyguides.org/2022/05/25/secure-data-erasure)
- [Integrating Metadata Removal](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal)
- [iOS Configuration Guide](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide)

20
docs/meta/admonitions.md
View File

@ -165,11 +165,11 @@ This format is used to generate recommendation cards. Notably it is missing the
![PhotoPrism logo](assets/img/photo-management/photoprism.svg){ align=right }
**PhotoPrism** is a self-hostable platform for managing photos. It supports album syncing and sharing as well as a variety of other [features](https://www.photoprism.app/features). It does not include E2EE, so it's best hosted on a server that you trust and is under your control.
**PhotoPrism** is a self-hostable platform for managing photos. It supports album syncing and sharing as well as a variety of other [features](https://photoprism.app/features). It does not include E2EE, so it's best hosted on a server that you trust and is under your control.
[:octicons-home-16: Homepage](https://www.photoprism.app){ .md-button .md-button--primary }
[:octicons-eye-16:](https://www.photoprism.app/privacy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://www.photoprism.app/kb){ .card-link title=Documentation}
[:octicons-home-16: Homepage](https://photoprism.app){ .md-button .md-button--primary }
[:octicons-eye-16:](https://photoprism.app/privacy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://photoprism.app/kb){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/photoprism){ .card-link title="Source Code" }
<details class="downloads" markdown>
@ -188,11 +188,11 @@ This format is used to generate recommendation cards. Notably it is missing the
![PhotoPrism logo](../assets/img/photo-management/photoprism.svg){ align=right }
**PhotoPrism** is a self-hostable platform for managing photos. It supports album syncing and sharing as well as a variety of other [features](https://www.photoprism.app/features). It does not include E2EE, so it's best hosted on a server that you trust and is under your control.
**PhotoPrism** is a self-hostable platform for managing photos. It supports album syncing and sharing as well as a variety of other [features](https://photoprism.app/features). It does not include E2EE, so it's best hosted on a server that you trust and is under your control.
[:octicons-home-16: Homepage](https://www.photoprism.app){ .md-button .md-button--primary }
[:octicons-eye-16:](https://www.photoprism.app/privacy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://www.photoprism.app/kb){ .card-link title=Documentation}
[:octicons-home-16: Homepage](https://photoprism.app){ .md-button .md-button--primary }
[:octicons-eye-16:](https://photoprism.app/privacy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://photoprism.app/kb){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/photoprism){ .card-link title="Source Code" }
<details class="downloads" markdown>
@ -215,7 +215,7 @@ This is a special type of collapsible admonition, used to generate the download
<summary>Downloads</summary>
- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android)
- [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905)
- [:simple-appstore: App Store](https://apps.apple.com/app/id979659905)
- [:simple-github: GitHub](https://github.com/ProtonMail/proton-mail-android/releases)
- [:simple-windows11: Windows](https://proton.me/mail/bridge#download)
- [:simple-apple: macOS](https://proton.me/mail/bridge#download)
@ -231,7 +231,7 @@ This is a special type of collapsible admonition, used to generate the download
<summary>Downloads</summary>
- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android)
- [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905)
- [:simple-appstore: App Store](https://apps.apple.com/app/id979659905)
- [:simple-github: GitHub](https://github.com/ProtonMail/proton-mail-android/releases)
- [:simple-windows11: Windows](https://proton.me/mail/bridge#download)
- [:simple-apple: macOS](https://proton.me/mail/bridge#download)

6
docs/meta/translations.md
View File

@ -2,9 +2,9 @@
title: Translations
---
Crowdin has good documentation, and we suggest looking at their [Getting Started](https://support.crowdin.com/crowdin-intro/) guide. Our site is largely written in [Markdown](https://en.wikipedia.org/wiki/Markdown), so it should be easy to contribute. This page contains some helpful pointers for translating some specific syntax you may encounter on our site.
Crowdin has good documentation, and we suggest looking at their [Getting Started](https://support.crowdin.com/crowdin-intro) guide. Our site is largely written in [Markdown](https://en.wikipedia.org/wiki/Markdown), so it should be easy to contribute. This page contains some helpful pointers for translating some specific syntax you may encounter on our site.
Please join our localization room on Matrix ([#pg-i18n:aragon.sh](https://matrix.to/#/%23pg-i18n:aragon.sh)) if you have any additional questions, and read our [announcement blog post](https://blog.privacyguides.org/2023/02/26/i18n-announcement/) for additional information about the project.
Please join our localization room on Matrix ([#pg-i18n:aragon.sh](https://matrix.to/#/%23pg-i18n:aragon.sh)) if you have any additional questions, and read our [announcement blog post](https://blog.privacyguides.org/2023/02/26/i18n-announcement) for additional information about the project.
Note that the English version of the site is the primary version, meaning changes occur there first. If you notice a language falling behind the English version, please help out. We cannot guarantee the accuracy of all our translations. If you have a suggestion about content specific to your region, please open an issue or pull request to our [main repository](https://github.com/privacyguides/privacyguides.org).
@ -78,4 +78,4 @@ CJK writing systems tend to use alternative "fullwidth" variants of common symbo
- Links must use regular parenthesis ie `(` (Left Parenthesis U+0028) and `)` (Right Parenthesis U+0029) and not `` (Fullwidth Left Parenthesis U+FF08) or `` (Fullwidth Right Parenthesis U+FF09)
- Indented quoted text must use `:` (Colon U+003A) and not `` (Fullwidth Colon U+FF1A)
- Pictures must use `!` (Exclamation Mark U+0021) and not `` (Fullwidth Exclamation Mark U+FF01)
- Pictures must use `!` (Exclamation Mark U+0021) and not `` (Fullwidth Exclamation Mark U+FF01)

2
docs/meta/uploading-images.md
View File

@ -17,7 +17,7 @@ Company logos have canvas size of:
### PNG
Use the [OptiPNG](https://sourceforge.net/projects/optipng/) to optimize the PNG image:
Use the [OptiPNG](https://sourceforge.net/projects/optipng) to optimize the PNG image:
```bash
optipng -o7 file.png

14
docs/meta/writing-style.md
View File

@ -4,11 +4,11 @@ title: Writing Style
Privacy Guides is written in American English, and you should refer to [APA Style guidelines](https://apastyle.apa.org/style-grammar-guidelines/grammar) when in doubt.
In general the [United States federal plain language guidelines](https://www.plainlanguage.gov/guidelines/) provide a good overview of how to write clearly and concisely. We highlight a few important notes from these guidelines below.
In general the [United States federal plain language guidelines](https://plainlanguage.gov/guidelines) provide a good overview of how to write clearly and concisely. We highlight a few important notes from these guidelines below.
## Writing for our audience
Privacy Guides' intended [audience](https://www.plainlanguage.gov/guidelines/audience/) is primarily average, technology using adults. Don't dumb down content as if you are addressing a middle-school class, but don't overuse complicated terminology about concepts average computer users wouldn't be familiar with.
Privacy Guides' intended [audience](https://plainlanguage.gov/guidelines/audience) is primarily average, technology using adults. Don't dumb down content as if you are addressing a middle-school class, but don't overuse complicated terminology about concepts average computer users wouldn't be familiar with.
### Address only what people want to know
@ -24,7 +24,7 @@ We're writing *for* a wide variety of people, but we are writing *to* the person
>
> When you use “you” to address users, they are more likely to understand what their responsibility is.
Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/audience/address-the-user/)
Source: [plainlanguage.gov](https://plainlanguage.gov/guidelines/audience/address-the-user)
### Avoid "users"
@ -37,7 +37,7 @@ Organization is key. Content should flow from most to least important informatio
- Limit the document to around five or six sections. Long documents should probably be broken up into separate pages.
- Mark important ideas with **bold** or *italics*.
Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/)
Source: [plainlanguage.gov](https://plainlanguage.gov/guidelines/design)
### Begin with a topic sentence
@ -45,7 +45,7 @@ Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/)
>
> We often write the way we think, putting our premises first and then our conclusion. It may be the natural way to develop thoughts, but we wind up with the topic sentence at the end of the paragraph. Move it up front and let users know where youre going. Dont make readers hold a lot of information in their heads before getting to the point.
Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/organize/have-a-topic-sentence/)
Source: [plainlanguage.gov](https://plainlanguage.gov/guidelines/organize/have-a-topic-sentence)
## Choose your words carefully
@ -65,7 +65,7 @@ We should try to avoid abbreviations where possible, but technology is full of a
> Unnecessary words waste your audiences time. Great writing is like a conversation. Omit information that the audience doesnt need to know. This can be difficult as a subject matter expert so its important to have someone look at the information from the audiences perspective.
Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/)
Source: [plainlanguage.gov](https://plainlanguage.gov/guidelines/concise)
## Keep text conversational
@ -77,7 +77,7 @@ Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/)
> Active voice makes it clear who is supposed to do what. It eliminates ambiguity about responsibilities. Not “It must be done,” but “You must do it.”
Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/conversational/use-active-voice/)
Source: [plainlanguage.gov](https://plainlanguage.gov/guidelines/conversational/use-active-voice)
### Use "must" for requirements

40
docs/mobile-browsers.md
View File

@ -5,13 +5,13 @@ icon: material/cellphone-information
description: These browsers are what we currently recommend for standard/non-anonymous internet browsing on your phone.
cover: mobile-browsers.webp
schema:
-
-
"@context": http://schema.org
"@type": WebPage
name: Private Mobile Browser Recommendations
url: "./"
relatedLink: "../desktop-browsers/"
-
-
"@context": http://schema.org
"@type": MobileApplication
name: Brave
@ -23,12 +23,12 @@ schema:
subjectOf:
"@type": WebPage
url: "./"
-
-
"@context": http://schema.org
"@type": MobileApplication
name: Safari
image: /assets/img/browsers/safari.svg
url: https://www.apple.com/safari/
url: https://apple.com/safari
applicationCategory: Web Browser
operatingSystem:
- iOS
@ -40,7 +40,7 @@ These are our currently recommended mobile web browsers and configurations for s
## Android
On Android, Firefox is still less secure than Chromium-based alternatives: Mozilla's engine, [GeckoView](https://mozilla.github.io/geckoview/), has yet to support [site isolation](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) or enable [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196).
On Android, Firefox is still less secure than Chromium-based alternatives: Mozilla's engine, [GeckoView](https://mozilla.github.io/geckoview), has yet to support [site isolation](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) or enable [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196).
### Brave
@ -48,14 +48,14 @@ On Android, Firefox is still less secure than Chromium-based alternatives: Mozil
![Brave logo](assets/img/browsers/brave.svg){ align=right }
**Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default.
**Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features), many of which are enabled by default.
Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues.
[:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary }
[:octicons-home-16: Homepage](https://brave.com){ .md-button .md-button--primary }
[:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" }
[:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation}
[:octicons-eye-16:](https://brave.com/privacy/browser){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://support.brave.com){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" }
<details class="downloads" markdown>
@ -76,7 +76,7 @@ These options can be found in :material-menu: → **Settings** → **Brave Shiel
##### Shields
Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit.
Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/articles/360022973471-What-is-Shields) feature. We suggest configuring these options [globally](https://support.brave.com/hc/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings) across all pages that you visit.
##### Brave shields global defaults
@ -100,7 +100,7 @@ Brave allows you to select additional content filters within the internal `brave
</div>
1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension.
1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net) extension.
##### Clear browsing data
@ -114,7 +114,7 @@ Brave allows you to select additional content filters within the internal `brave
<div class="annotate" markdown>
- [x] Select **Disable non-proxied UDP** under [WebRTC IP handling policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc)
- [x] Select **Disable non-proxied UDP** under [WebRTC IP handling policy](https://support.brave.com/hc/articles/360017989132-How-do-I-change-my-Privacy-Settings#webrtc)
- [ ] Uncheck **Allow sites to check if you have payment methods saved**
- [ ] Uncheck **IPFS Gateway** (1)
- [x] Select **Close tabs on exit**
@ -128,7 +128,7 @@ Brave allows you to select additional content filters within the internal `brave
#### Brave Sync
[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE.
[Brave Sync](https://support.brave.com/hc/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE.
## iOS
@ -140,10 +140,10 @@ On iOS, any app that can browse the web is [restricted](https://developer.apple.
![Safari logo](assets/img/browsers/safari.svg){ align=right }
**Safari** is the default browser in iOS. It includes [privacy features](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) such as [Intelligent Tracking Prevention](https://webkit.org/blog/7675/intelligent-tracking-prevention/), Privacy Report, isolated and ephemeral Private Browsing tabs, iCloud Private Relay, fingerprinting protection by randomizing and presenting a simplified version of the system configuration to websites so more devices look identical, and the ability to lock private tabs with your biometrics/PIN. It also allows you to separate your browsing with different profiles.
**Safari** is the default browser in iOS. It includes [privacy features](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) such as [Intelligent Tracking Prevention](https://webkit.org/blog/7675/intelligent-tracking-prevention), Privacy Report, isolated and ephemeral Private Browsing tabs, iCloud Private Relay, fingerprinting protection by randomizing and presenting a simplified version of the system configuration to websites so more devices look identical, and the ability to lock private tabs with your biometrics/PIN. It also allows you to separate your browsing with different profiles.
[:octicons-home-16: Homepage](https://www.apple.com/safari/){ .md-button .md-button--primary }
[:octicons-eye-16:](https://www.apple.com/legal/privacy/data/en/safari/){ .card-link title="Privacy Policy" }
[:octicons-home-16: Homepage](https://apple.com/safari){ .md-button .md-button--primary }
[:octicons-eye-16:](https://apple.com/legal/privacy/data/en/safari){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://support.apple.com/guide/safari/welcome/mac){ .card-link title=Documentation}
</details>
@ -184,7 +184,7 @@ Privacy Report is accessible via the Page Settings menu.
- [ ] Disable **Privacy Preserving Ad Measurement**
Ad click measurement has traditionally used tracking technology that infringes on user privacy. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) is a WebKit feature and proposed web standard aimed towards allowing advertisers to measure the effectiveness of web campaigns without compromising on user privacy.
Ad click measurement has traditionally used tracking technology that infringes on user privacy. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm) is a WebKit feature and proposed web standard aimed towards allowing advertisers to measure the effectiveness of web campaigns without compromising on user privacy.
The feature has little privacy concerns on its own, so while you can choose to leave it on, we consider the fact that it's automatically disabled in Private Browsing to be an indicator for disabling the feature.
@ -200,9 +200,9 @@ Do note that Private Browsing does not save cookies and website data, so it won'
##### iCloud Sync
Synchronization of Safari History, Tab Groups, iCloud Tabs and saved passwords are E2EE. However, by default, bookmarks are [not](https://support.apple.com/en-us/HT202303). Apple can decrypt and access them in accordance with their [privacy policy](https://www.apple.com/legal/privacy/en-ww/).
Synchronization of Safari History, Tab Groups, iCloud Tabs and saved passwords are E2EE. However, by default, bookmarks are [not](https://support.apple.com/HT202303). Apple can decrypt and access them in accordance with their [privacy policy](https://apple.com/legal/privacy/en-ww).
You can enable E2EE for your Safari bookmarks and downloads by enabling [Advanced Data Protection](https://support.apple.com/en-us/HT212520). Go to your **Apple ID name → iCloud → Advanced Data Protection**.
You can enable E2EE for your Safari bookmarks and downloads by enabling [Advanced Data Protection](https://support.apple.com/HT212520). Go to your **Apple ID name → iCloud → Advanced Data Protection**.
- [x] Turn On **Advanced Data Protection**
@ -226,7 +226,7 @@ AdGuard for iOS has some premium features; however, standard Safari content bloc
<details class="downloads" markdown>
<summary>Downloads</summary>
- [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1047223162)
- [:simple-appstore: App Store](https://apps.apple.com/app/id1047223162)
</details>

30
docs/multi-factor-authentication.md
View File

@ -12,21 +12,21 @@ cover: multi-factor-authentication.webp
![YubiKeys](assets/img/multi-factor-authentication/yubikey.png)
The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://www.yubico.com/quiz/) before purchasing in order to make sure you make the right choice.
One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
[:octicons-home-16: Homepage](https://www.yubico.com){ .md-button .md-button--primary }
[:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentation}
[:octicons-home-16: Homepage](https://yubico.com){ .md-button .md-button--primary }
[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
</details>
</div>
The [comparison table](https://www.yubico.com/store/compare/) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series.
The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series.
YubiKeys can be programmed using the [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) or [YubiKey Personalization Tools](https://www.yubico.com/support/download/yubikey-personalization-tools/). For managing TOTP codes, you can use the [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). All of Yubico's clients are open source.
YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
@ -45,17 +45,17 @@ The firmware of YubiKey is not open source and is not updatable. If you want fea
**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
[:octicons-home-16: Homepage](https://www.nitrokey.com){ .md-button .md-button--primary }
[:octicons-eye-16:](https://www.nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://docs.nitrokey.com/){ .card-link title=Documentation}
[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
</details>
</div>
The [comparison table](https://www.nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
Nitrokey models can be configured using the [Nitrokey app](https://www.nitrokey.com/download).
Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
@ -73,7 +73,7 @@ Resetting the OpenPGP interface on a Nitrokey will also make the password databa
</div>
The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/) firmware.
The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://coreboot.org) + [Heads](https://osresearch.net) firmware.
Nitrokey's firmware is open source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable.
@ -126,7 +126,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
<summary>Downloads</summary>
- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.ente.auth)
- [:simple-appstore: App Store](https://apps.apple.com/us/app/ente-authenticator/id6444121398)
- [:simple-appstore: App Store](https://apps.apple.com/app/id6444121398)
- [:simple-github: GitHub](https://github.com/ente-io/ente/releases)
- [:octicons-globe-16: Web](https://auth.ente.io)
@ -146,7 +146,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
[:octicons-eye-16:](https://getaegis.app/aegis/privacy.html){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://github.com/beemdevelopment/Aegis/wiki){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/beemdevelopment/Aegis){ .card-link title="Source Code" }
[:octicons-heart-16:](https://www.buymeacoffee.com/beemdevelopment){ .card-link title=Contribute }
[:octicons-heart-16:](https://buymeacoffee.com/beemdevelopment){ .card-link title=Contribute }
<details class="downloads" markdown>
<summary>Downloads</summary>

14
docs/news-aggregators.md
View File

@ -21,7 +21,7 @@ A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to k
[:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://docs.kde.org/?application=akregator){ .card-link title=Documentation}
[:octicons-code-16:](https://invent.kde.org/pim/akregator){ .card-link title="Source Code" }
[:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute }
[:octicons-heart-16:](https://kde.org/community/donations){ .card-link title=Contribute }
<details class="downloads" markdown>
<summary>Downloads</summary>
@ -83,7 +83,7 @@ A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to k
[:octicons-home-16: Homepage](https://hyliu.me/fluent-reader){ .md-button .md-button--primary }
[:octicons-eye-16:](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://github.com/yang991178/fluent-reader/wiki/){ .card-link title=Documentation}
[:octicons-info-16:](https://github.com/yang991178/fluent-reader/wiki){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/yang991178/fluent-reader){ .card-link title="Source Code" }
[:octicons-heart-16:](https://github.com/sponsors/yang991178){ .card-link title=Contribute }
@ -121,15 +121,15 @@ A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to k
**NetNewsWire** a free and open-source feed reader for macOS and iOS with a focus on a native design and feature set. It supports the typical feed formats alongside built-in support for Reddit feeds.
[:octicons-home-16: Homepage](https://netnewswire.com/){ .md-button .md-button--primary }
[:octicons-home-16: Homepage](https://netnewswire.com){ .md-button .md-button--primary }
[:octicons-eye-16:](https://netnewswire.com/privacypolicy.html){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://netnewswire.com/help/){ .card-link title=Documentation}
[:octicons-info-16:](https://netnewswire.com/help){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/Ranchero-Software/NetNewsWire){ .card-link title="Source Code" }
<details class="downloads" markdown>
<summary>Downloads</summary>
- [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210)
- [:simple-appstore: App Store](https://apps.apple.com/app/id1480640210)
- [:simple-apple: macOS](https://netnewswire.com)
</details>
@ -178,7 +178,7 @@ Reddit allows you to subscribe to subreddits via RSS.
Replace `[SUBREDDIT]` with the subreddit you wish to subscribe to.
```text
https://www.reddit.com/r/[SUBREDDIT]/new/.rss
https://reddit.com/r/[SUBREDDIT]/new/.rss
```
</div>
@ -193,7 +193,7 @@ You can subscribe YouTube channels without logging in and associating usage info
To subscribe to a YouTube channel with an RSS client, first look for its [channel code](https://support.google.com/youtube/answer/6180214). The channel code can be found on the about page of the YouTube channel you wish to subscribe to, under: **About** > **Share** > **Copy channel ID**. Replace `[CHANNEL ID]` below:
```text
https://www.youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID]
https://youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID]
```
</div>

26
docs/notebooks.md
View File

@ -34,7 +34,7 @@ If you are currently using an application like Evernote, Google Keep, or Microso
- [:simple-windows11: Windows](https://standardnotes.com)
- [:simple-apple: macOS](https://standardnotes.com)
- [:simple-linux: Linux](https://standardnotes.com)
- [:octicons-globe-16: Web](https://app.standardnotes.com/)
- [:octicons-globe-16: Web](https://app.standardnotes.com)
</details>
@ -46,11 +46,11 @@ If you are currently using an application like Evernote, Google Keep, or Microso
![Notesnook logo](assets/img/notebooks/notesnook.svg){ align=right }
**Notesnook** is a free (as in speech) & open-source note-taking app focused on user privacy & ease of use. It features end-to-end encryption on all platforms with a powerful sync to take your notes on the go. You can easily import your notes from Evernote, OneNote & a lot of other apps using their [official importer](https://importer.notesnook.com/).
**Notesnook** is a free (as in speech) & open-source note-taking app focused on user privacy & ease of use. It features end-to-end encryption on all platforms with a powerful sync to take your notes on the go. You can easily import your notes from Evernote, OneNote & a lot of other apps using their [official importer](https://importer.notesnook.com).
[:octicons-home-16: Homepage](https://notesnook.com/){ .md-button .md-button--primary }
[:octicons-home-16: Homepage](https://notesnook.com){ .md-button .md-button--primary }
[:octicons-eye-16:](https://notesnook.com/privacy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://help.notesnook.com/){ .card-link title=Documentation}
[:octicons-info-16:](https://help.notesnook.com){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/streetwriters/notesnook){ .card-link title="Source Code" }
[:octicons-heart-16:](https://github.com/streetwriters/notesnook/blob/master/CONTRIBUTING.md){ .card-link title=Contribute }
@ -58,12 +58,12 @@ If you are currently using an application like Evernote, Google Keep, or Microso
<summary>Downloads</summary>
- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.streetwriters.notesnook)
- [:simple-appstore: App Store](https://apps.apple.com/us/app/notesnook-take-private-notes/id1544027013)
- [:simple-appstore: App Store](https://apps.apple.com/app/id1544027013)
- [:simple-github: GitHub](https://github.com/streetwriters/notesnook/releases)
- [:simple-windows11: Windows](https://notesnook.com/downloads)
- [:simple-apple: macOS](https://notesnook.com/downloads)
- [:simple-linux: Linux](https://notesnook.com/downloads)
- [:simple-firefoxbrowser: Firefox](https://notesnook.com/notesnook-web-clipper/)
- [:simple-firefoxbrowser: Firefox](https://notesnook.com/notesnook-web-clipper)
- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/notesnook-web-clipper/kljhpemdlcnjohmfmkogahelkcidieaj)
</details>
@ -80,22 +80,22 @@ Notesnook only allows local note encryption with the [private vault](https://hel
**Joplin** is a free, open-source, and fully-featured note-taking and to-do application which can handle a large number of markdown notes organized into notebooks and tags. It offers E2EE and can sync through Nextcloud, Dropbox, and more. It also offers easy import from Evernote and plain-text notes.
[:octicons-home-16: Homepage](https://joplinapp.org/){ .md-button .md-button--primary }
[:octicons-eye-16:](https://joplinapp.org/privacy/){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://joplinapp.org/help/){ .card-link title=Documentation}
[:octicons-home-16: Homepage](https://joplinapp.org){ .md-button .md-button--primary }
[:octicons-eye-16:](https://joplinapp.org/privacy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://joplinapp.org/help){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/laurent22/joplin){ .card-link title="Source Code" }
[:octicons-heart-16:](https://joplinapp.org/donate/){ .card-link title=Contribute }
[:octicons-heart-16:](https://joplinapp.org/donate){ .card-link title=Contribute }
<details class="downloads" markdown>
<summary>Downloads</summary>
- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin)
- [:simple-appstore: App Store](https://apps.apple.com/us/app/joplin/id1315599797)
- [:simple-appstore: App Store](https://apps.apple.com/app/id1315599797)
- [:simple-github: GitHub](https://github.com/laurent22/joplin-android/releases)
- [:simple-windows11: Windows](https://joplinapp.org/#desktop-applications)
- [:simple-apple: macOS](https://joplinapp.org/#desktop-applications)
- [:simple-linux: Linux](https://joplinapp.org/#desktop-applications)
- [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/)
- [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper)
- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek)
</details>
@ -138,7 +138,7 @@ Cryptee offers 100MB of storage for free, with paid options if you need more. Si
![Org-mode logo](assets/img/notebooks/org-mode.svg){ align=right }
**Org-mode** is a [major mode](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) for GNU Emacs. Org-mode is for keeping notes, maintaining to-do lists, planning projects, and authoring documents with a fast and effective plain-text system. Synchronization is possible with [file synchronization](file-sharing.md#file-sync) tools.
**Org-mode** is a [major mode](https://gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) for GNU Emacs. Org-mode is for keeping notes, maintaining to-do lists, planning projects, and authoring documents with a fast and effective plain-text system. Synchronization is possible with [file synchronization](file-sharing.md#file-sync) tools.
[:octicons-home-16: Homepage](https://orgmode.org){ .md-button .md-button--primary }
[:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=Documentation}

18
docs/os/android-overview.md
View File

@ -59,7 +59,7 @@ Many OEMs also have broken implementation of Verified Boot that you have to be a
Firmware updates are critical for maintaining security and without them your device cannot be secure. OEMs have support agreements with their partners to provide the closed-source components for a limited support period. These are detailed in the monthly [Android Security Bulletins](https://source.android.com/security/bulletin).
As the components of the phone, such as the processor and radio technologies rely on closed-source components, the updates must be provided by the respective manufacturers. Therefore, it is important that you purchase a device within an active support cycle. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) and [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) support their devices for 4 years, while cheaper products often have shorter support cycles. With the introduction of the [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google now makes their own SoC, and they will provide a minimum of 5 years of support. With the introduction of the Pixel 8 series, Google increased that support window to 7 years.
As the components of the phone, such as the processor and radio technologies rely on closed-source components, the updates must be provided by the respective manufacturers. Therefore, it is important that you purchase a device within an active support cycle. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) and [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox) support their devices for 4 years, while cheaper products often have shorter support cycles. With the introduction of the [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google now makes their own SoC, and they will provide a minimum of 5 years of support. With the introduction of the Pixel 8 series, Google increased that support window to 7 years.
EOL devices which are no longer supported by the SoC manufacturer cannot receive firmware updates from OEM vendors or after market Android distributors. This means that security issues with those devices will remain unfixed.
@ -96,19 +96,19 @@ Android 13:
An app may request a permission for a specific feature it has. For example, any app that can scan QR codes will require the camera permission. Some apps can request more permissions than they need.
[Exodus](https://exodus-privacy.eu.org/) can be useful when comparing apps that have similar purposes. If an app requires a lot of permissions and has a lot of advertising and analytics this is probably a bad sign. We recommend looking at the individual trackers and reading their descriptions rather than simply **counting the total** and assuming all items listed are equal.
[Exodus](https://exodus-privacy.eu.org) can be useful when comparing apps that have similar purposes. If an app requires a lot of permissions and has a lot of advertising and analytics this is probably a bad sign. We recommend looking at the individual trackers and reading their descriptions rather than simply **counting the total** and assuming all items listed are equal.
<div class="admonition warning" markdown>
<p class="admonition-title">Warning</p>
If an app is mostly a web-based service, the tracking may occur on the server side. [Facebook](https://reports.exodus-privacy.eu.org/en/reports/com.facebook.katana/latest/) shows "no trackers" but certainly does track users' interests and behavior across the site. Apps may evade detection by not using standard code libraries produced by the advertising industry, though this is unlikely.
If an app is mostly a web-based service, the tracking may occur on the server side. [Facebook](https://reports.exodus-privacy.eu.org/en/reports/com.facebook.katana/latest) shows "no trackers" but certainly does track users' interests and behavior across the site. Apps may evade detection by not using standard code libraries produced by the advertising industry, though this is unlikely.
</div>
<div class="admonition note" markdown>
<p class="admonition-title">Note</p>
Privacy-friendly apps such as [Bitwarden](https://reports.exodus-privacy.eu.org/en/reports/com.x8bit.bitwarden/latest/) may show some trackers such as [Google Firebase Analytics](https://reports.exodus-privacy.eu.org/en/trackers/49/). This library includes [Firebase Cloud Messaging](https://en.wikipedia.org/wiki/Firebase_Cloud_Messaging) which can provide [push notifications](https://en.wikipedia.org/wiki/Push_technology) in apps. This [is the case](https://fosstodon.org/@bitwarden/109636825700482007) with Bitwarden. That doesn't mean that Bitwarden is using all of the analytics features that are provided by Google Firebase Analytics.
Privacy-friendly apps such as [Bitwarden](https://reports.exodus-privacy.eu.org/en/reports/com.x8bit.bitwarden/latest) may show some trackers such as [Google Firebase Analytics](https://reports.exodus-privacy.eu.org/en/trackers/49). This library includes [Firebase Cloud Messaging](https://en.wikipedia.org/wiki/Firebase_Cloud_Messaging) which can provide [push notifications](https://en.wikipedia.org/wiki/Push_technology) in apps. This [is the case](https://fosstodon.org/@bitwarden/109636825700482007) with Bitwarden. That doesn't mean that Bitwarden is using all of the analytics features that are provided by Google Firebase Analytics.
</div>
@ -144,20 +144,20 @@ If you are using a device with Google services, either your stock operating syst
### Advanced Protection Program
If you have a Google account we suggest enrolling in the [Advanced Protection Program](https://landing.google.com/advancedprotection/). It is available at no cost to anyone with two or more hardware security keys with [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) support.
If you have a Google account we suggest enrolling in the [Advanced Protection Program](https://landing.google.com/advancedprotection). It is available at no cost to anyone with two or more hardware security keys with [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) support.
The Advanced Protection Program provides enhanced threat monitoring and enables:
- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth)
- Only Google and verified third-party apps can access account data
- Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts
- Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome
- Stricter [safe browser scanning](https://google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome
- Stricter recovery process for accounts with lost credentials
If you use non-sandboxed Google Play Services (common on stock operating systems), the Advanced Protection Program also comes with [additional benefits](https://support.google.com/accounts/answer/9764949?hl=en) such as:
If you use non-sandboxed Google Play Services (common on stock operating systems), the Advanced Protection Program also comes with [additional benefits](https://support.google.com/accounts/answer/9764949) such as:
- Not allowing app installation outside the Google Play Store, the OS vendor's app store, or via [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge)
- Mandatory automatic device scanning with [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work)
- Mandatory automatic device scanning with [Play Protect](https://support.google.com/googleplay/answer/2812853?#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work)
- Warning you about unverified applications
### Google Play System Updates
@ -168,7 +168,7 @@ If you have an EOL device shipped with Android 10 or above and are unable to run
### Advertising ID
All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) used for targeted advertising. Disable this feature to limit the data collected about you.
All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248) used for targeted advertising. Disable this feature to limit the data collected about you.
On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings****Apps****Sandboxed Google Play****Google Settings****Ads**, and select *Delete advertising ID*.

10
docs/os/ios-overview.md
View File

@ -21,7 +21,7 @@ The only source for apps on iOS is Apple's App Store, which requires an Apple ID
### Invasive Telemetry
Apple has historically had problems with properly anonymizing their telemetry on iOS. [In 2019](https://www.theguardian.com/technology/2019/jul/26/apple-contractors-regularly-hear-confidential-details-on-siri-recordings), Apple was found to transmit Siri recordings—some containing highly confidential information—to their servers for manual review by third-party contractors. While they temporarily stopped that program after that practice was [widely reported on](https://www.theverge.com/2019/8/23/20830120/apple-contractors-siri-recordings-listening-1000-a-day-globetech-microsoft-cortana), the problem wasn't completely resolved [until 2021](https://www.theguardian.com/technology/2021/jun/07/apple-overhauls-siri-to-address-privacy-concerns-and-improve-performance).
Apple has historically had problems with properly anonymizing their telemetry on iOS. [In 2019](https://theguardian.com/technology/2019/jul/26/apple-contractors-regularly-hear-confidential-details-on-siri-recordings), Apple was found to transmit Siri recordings—some containing highly confidential information—to their servers for manual review by third-party contractors. While they temporarily stopped that program after that practice was [widely reported on](https://theverge.com/2019/8/23/20830120/apple-contractors-siri-recordings-listening-1000-a-day-globetech-microsoft-cortana), the problem wasn't completely resolved [until 2021](https://theguardian.com/technology/2021/jun/07/apple-overhauls-siri-to-address-privacy-concerns-and-improve-performance).
More recently, Apple has been found to [transmit analytics even when analytics sharing is disabled](https://gizmodo.com/apple-iphone-analytics-tracking-even-when-off-app-store-1849757558) on iOS, and this data [appears](https://twitter.com/mysk_co/status/1594515229915979776) to be easily linked to unique iCloud account identifiers despite supposedly being anonymous.
@ -53,7 +53,7 @@ At the top of the **Settings** app, you'll see your name and profile picture if
#### Find My
**Find My** is a service that lets you track your Apple devices and share your location with your friends and family. It also allows you to wipe your device remotely in case it is stolen, preventing a thief from accessing your data. Your Find My [location data is E2EE](https://www.apple.com/legal/privacy/data/en/find-my/) when:
**Find My** is a service that lets you track your Apple devices and share your location with your friends and family. It also allows you to wipe your device remotely in case it is stolen, preventing a thief from accessing your data. Your Find My [location data is E2EE](https://apple.com/legal/privacy/data/en/find-my) when:
- Your location is shared with a family member or friend, and you both use iOS 15 or greater.
- Your device is offline and is located by the Find My Network.
@ -116,7 +116,7 @@ If you don't want anyone to be able to control your phone with Siri when it is l
Setting a strong password on your phone is the most important step you can take for physical device security. You'll have to make tradeoffs here between security and convenience: A longer password will be annoying to type in every time, but a shorter password or PIN will be easier to guess. Setting up Face ID or Touch ID along with a strong password can be a good compromise between usability and security.
Select **Turn Passcode On** or **Change Passcode** > **Passcode Options** > **Custom Alphanumeric Code**. Make sure that you create a [secure password](https://www.privacyguides.org/basics/passwords-overview/).
Select **Turn Passcode On** or **Change Passcode** > **Passcode Options** > **Custom Alphanumeric Code**. Make sure that you create a [secure password](../basics/passwords-overview.md).
If you wish to use Face ID or Touch ID, you can go ahead and set it up now. Your phone will use the password you set up earlier as a fallback in case your biometric verification fails. Biometric unlock methods are primarily a convenience, although they do stop surveillance cameras or people over your shoulder from watching you input your passcode.
@ -128,7 +128,7 @@ On some older devices, you may have to press the power button five times to disa
- [x] Select **Turn On Protection**
After enabling stolen data protection, [certain actions](https://support.apple.com/en-us/HT212510) will require biometric authentication without a password fallback (in the event that a shoulder surfer has obtained your PIN), such as using password autofill, accessing payment information, and disabling lost mode. It also adds a security delay to certain actions performed away from your home or other "familiar location," such as requiring a 1-hour timer to reset your Apple ID password or sign out of your Apple ID. This delay is intended to give you time to enable Lost Mode and secure your account before a thief can reset your device.
After enabling stolen data protection, [certain actions](https://support.apple.com/HT212510) will require biometric authentication without a password fallback (in the event that a shoulder surfer has obtained your PIN), such as using password autofill, accessing payment information, and disabling lost mode. It also adds a security delay to certain actions performed away from your home or other "familiar location," such as requiring a 1-hour timer to reset your Apple ID password or sign out of your Apple ID. This delay is intended to give you time to enable Lost Mode and secure your account before a thief can reset your device.
**Allow Access When Locked** gives you options for what you can allow when your phone is locked. The more of these options you disable, the less someone without your password can do, but the less convenient it will be for you. Pick and choose which of these you don't want someone to have access to if they get their hands on your phone.
@ -186,7 +186,7 @@ Disable **Personalized Ads** if you don't want targeted ads. Select **Apple Adve
- [x] Select **Turn On App Privacy Report**
[Lockdown Mode](https://blog.privacyguides.org/2022/10/27/macos-ventura-privacy-security-updates/#lockdown-mode) is a security setting you can enable to make your phone more resistant to attacks. Be aware that certain apps and features [won't work](https://support.apple.com/en-us/HT212650) as they do normally.
[Lockdown Mode](https://blog.privacyguides.org/2022/10/27/macos-ventura-privacy-security-updates/#lockdown-mode) is a security setting you can enable to make your phone more resistant to attacks. Be aware that certain apps and features [won't work](https://support.apple.com/HT212650) as they do normally.
- [x] Select **Turn On Lockdown Mode**

36
docs/os/linux-overview.md
View File

@ -14,12 +14,12 @@ Our website generally uses the term “Linux” to describe **desktop** Linux di
There are some notable privacy concerns with Linux which you should be aware of. Despite these drawbacks, desktop Linux distributions are still great for most people who want to:
- Avoid telemetry that often comes with proprietary operating systems
- Maintain [software freedom](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms)
- Use privacy focused systems such as [Whonix](https://www.whonix.org) or [Tails](https://tails.boum.org/)
- Maintain [software freedom](https://gnu.org/philosophy/free-sw.en.html#four-freedoms)
- Use privacy focused systems such as [Whonix](https://whonix.org) or [Tails](https://tails.net)
### Open-Source Security
It is a [common misconception](../basics/common-misconceptions.md#open-source-software-is-always-secure-or-proprietary-software-is-more-secure) that Linux and other open-source software is inherently secure simply because the source code is available. There is an expectation that community verification occurs regularly, but this isnt always [the case](https://seirdy.one/posts/2022/02/02/floss-security/).
It is a [common misconception](../basics/common-misconceptions.md#open-source-software-is-always-secure-or-proprietary-software-is-more-secure) that Linux and other open-source software is inherently secure simply because the source code is available. There is an expectation that community verification occurs regularly, but this isnt always [the case](https://seirdy.one/posts/2022/02/02/floss-security).
In reality, distro security depends on a number of factors, such as project activity, developer experience, the level of rigor applied to code reviews, and how often attention is given to specific parts of the codebase that may go untouched for years.
@ -29,9 +29,9 @@ At the moment, desktop Linux [falls behind alternatives](https://discussion.fedo
- **Verified boot** on Linux is not as robust as alternatives such as Apples [Secure Boot](https://support.apple.com/guide/security/secac71d5623/web) or Androids [Verified Boot](https://source.android.com/security/verifiedboot). Verified boot prevents persistent tampering by malware and [evil maid attacks](https://en.wikipedia.org/wiki/Evil_Maid_attack), but is still largely [unavailable on even the most advanced distributions](https://discussion.fedoraproject.org/t/has-silverblue-achieved-verified-boot/27251/3).
- **Strong sandboxing** for apps on Linux is severely lacking, even with containerized apps like Flatpaks or sandboxing solutions like Firejail. Flatpak is the most promising sandboxing utility for Linux thus far, but is still deficient in many areas and allows for [unsafe defaults](https://flatkill.org/2020/) which allow most apps to trivially bypass their sandbox.
- **Strong sandboxing** for apps on Linux is severely lacking, even with containerized apps like Flatpaks or sandboxing solutions like Firejail. Flatpak is the most promising sandboxing utility for Linux thus far, but is still deficient in many areas and allows for [unsafe defaults](https://flatkill.org/2020) which allow most apps to trivially bypass their sandbox.
Additionally, Linux falls behind in implementing [exploit mitigations](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) which are now standard on other operating systems, such as Arbitrary Code Guard on Windows or Hardened Runtime on macOS. Also, most Linux programs and Linux itself are coded in memory-unsafe languages. Memory corruption bugs are responsible for the [majority of vulnerabilities](https://msrc.microsoft.com/blog/2019/07/a-proactive-approach-to-more-secure-code/) fixed and assigned a CVE. While this is also true for Windows and macOS, they are quickly making progress on adopting memory-safe languages—such as Rust and Swift, respectively—while there is no similar effort to rewrite Linux in a memory-safe language like Rust.
Additionally, Linux falls behind in implementing [exploit mitigations](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) which are now standard on other operating systems, such as Arbitrary Code Guard on Windows or Hardened Runtime on macOS. Also, most Linux programs and Linux itself are coded in memory-unsafe languages. Memory corruption bugs are responsible for the [majority of vulnerabilities](https://msrc.microsoft.com/blog/2019/07/a-proactive-approach-to-more-secure-code) fixed and assigned a CVE. While this is also true for Windows and macOS, they are quickly making progress on adopting memory-safe languages—such as Rust and Swift, respectively—while there is no similar effort to rewrite Linux in a memory-safe language like Rust.
## Choosing your distribution
@ -41,9 +41,9 @@ Not all Linux distributions are created equal. Our [Linux recommendation page](.
We highly recommend that you choose distributions which stay close to the stable upstream software releases, often referred to as rolling release distributions. This is because frozen release cycle distributions often dont update package versions and fall behind on security updates.
For frozen distributions such as [Debian](https://www.debian.org/security/faq#handling), package maintainers are expected to backport patches to fix vulnerabilities rather than bump the software to the “next version” released by the upstream developer. Some security fixes [do not](https://arxiv.org/abs/2105.14565) receive a [CVE ID](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release.
For frozen distributions such as [Debian](https://debian.org/security/faq#handling), package maintainers are expected to backport patches to fix vulnerabilities rather than bump the software to the “next version” released by the upstream developer. Some security fixes [do not](https://arxiv.org/abs/2105.14565) receive a [CVE ID](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release.
We dont believe holding packages back and applying interim patches is a good idea, as it diverges from the way the developer might have intended the software to work. [Richard Brown](https://rootco.de/aboutme/) has a presentation about this:
We dont believe holding packages back and applying interim patches is a good idea, as it diverges from the way the developer might have intended the software to work. [Richard Brown](https://rootco.de/aboutme) has a presentation about this:
<div class="yt-embed">
<iframe width="560" height="315" src="https://invidious.privacyguides.net/embed/i8c0mg_mS7U?local=true" title="Regular Releases are Wrong, Roll for your life" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
@ -73,7 +73,7 @@ Arch and Arch-based distributions are not recommended for those new to Linux (re
For a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a [mandatory access control](https://en.wikipedia.org/wiki/Mandatory_access_control) system, setting up [kernel module](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) blacklists, hardening boot parameters, manipulating [sysctl](https://en.wikipedia.org/wiki/Sysctl) parameters, and knowing what components they need such as [Polkit](https://en.wikipedia.org/wiki/Polkit).
Anyone using the [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository) **must** be comfortable auditing PKGBUILDs that they download from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software supply chain attacks, which has in fact happened [in the past](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/).
Anyone using the [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository) **must** be comfortable auditing PKGBUILDs that they download from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software supply chain attacks, which has in fact happened [in the past](https://bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository).
The AUR should always be used sparingly, and often there is a lot of bad advice on various pages which direct people to blindly use [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) without sufficient warning. Similar warnings apply to use third-party Personal Package Archives (PPAs) on Debian based distributions or Community Projects (COPR) on Fedora.
@ -82,11 +82,11 @@ If you are experienced with Linux and wish to use an Arch-based distribution, we
Additionally, we recommend **against** these two Arch derivatives specifically:
- **Manjaro**: This distribution holds packages back for 2 weeks to make sure that their own changes dont break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest [libraries](https://en.wikipedia.org/wiki/Library_(computing)) from Archs repositories.
- **Garuda**: They use [Chaotic-AUR](https://aur.chaotic.cx/) which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages dont suffer from supply chain attacks.
- **Garuda**: They use [Chaotic-AUR](https://aur.chaotic.cx) which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages dont suffer from supply chain attacks.
### Linux-libre kernel and “Libre” distributions
We recommend **against** using the Linux-libre kernel, since it [removes security mitigations](https://www.phoronix.com/news/GNU-Linux-Libre-5.7-Released) and [suppresses kernel warnings](https://news.ycombinator.com/item?id=29674846) about vulnerable microcode.
We recommend **against** using the Linux-libre kernel, since it [removes security mitigations](https://phoronix.com/news/GNU-Linux-Libre-5.7-Released) and [suppresses kernel warnings](https://news.ycombinator.com/item?id=29674846) about vulnerable microcode.
## General Recommendations
@ -94,7 +94,7 @@ We recommend **against** using the Linux-libre kernel, since it [removes securit
Most Linux distributions have an option within its installer for enabling [LUKS](../encryption.md#linux-unified-key-setup) FDE. If this option isnt set at installation time, you will have to backup your data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning), but before [file systems](https://en.wikipedia.org/wiki/File_system) are formatted. We also suggest securely erasing your storage device:
- [Secure Data Erasure :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/)
- [Secure Data Erasure :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure)
### Swap
@ -104,15 +104,15 @@ If you require suspend-to-disk (hibernation) functionality, you will still need
### Wayland
We recommend using a desktop environment that supports the [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) display protocol, as it was developed with security [in mind](https://lwn.net/Articles/589147/). Its predecessor ([X11](https://en.wikipedia.org/wiki/X_Window_System)) does not support GUI isolation, which allows any window to [record, log, and inject inputs in other windows](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), making any attempt at sandboxing futile. While there are options to do nested X11 such as [Xpra](https://en.wikipedia.org/wiki/Xpra) or [Xephyr](https://en.wikipedia.org/wiki/Xephyr), they often come with negative performance consequences, and are neither convenient to set up nor preferable over Wayland.
We recommend using a desktop environment that supports the [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) display protocol, as it was developed with security [in mind](https://lwn.net/Articles/589147). Its predecessor ([X11](https://en.wikipedia.org/wiki/X_Window_System)) does not support GUI isolation, which allows any window to [record, log, and inject inputs in other windows](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), making any attempt at sandboxing futile. While there are options to do nested X11 such as [Xpra](https://en.wikipedia.org/wiki/Xpra) or [Xephyr](https://en.wikipedia.org/wiki/Xephyr), they often come with negative performance consequences, and are neither convenient to set up nor preferable over Wayland.
Fortunately, [wayland compositors](https://en.wikipedia.org/wiki/Wayland_(protocol)#Wayland_compositors) such as those included with [GNOME](https://www.gnome.org) and [KDE Plasma](https://kde.org) now have good support for Wayland along with some other compositors that use [wlroots](https://gitlab.freedesktop.org/wlroots/wlroots/-/wikis/Projects-which-use-wlroots), (e.g. [Sway](https://swaywm.org)). Some distributions like Fedora and Tumbleweed use it by default, and some others may do so in the future as X11 is in [hard maintenance mode](https://www.phoronix.com/news/X.Org-Maintenance-Mode-Quickly). If youre using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)).
Fortunately, [wayland compositors](https://en.wikipedia.org/wiki/Wayland_(protocol)#Wayland_compositors) such as those included with [GNOME](https://gnome.org) and [KDE Plasma](https://kde.org) now have good support for Wayland along with some other compositors that use [wlroots](https://gitlab.freedesktop.org/wlroots/wlroots/-/wikis/Projects-which-use-wlroots), (e.g. [Sway](https://swaywm.org)). Some distributions like Fedora and Tumbleweed use it by default, and some others may do so in the future as X11 is in [hard maintenance mode](https://phoronix.com/news/X.Org-Maintenance-Mode-Quickly). If youre using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)).
We recommend **against** using desktop environments or window managers that do not have Wayland support, such as Cinnamon (default on Linux Mint), Pantheon (default on Elementary OS), MATE, Xfce, and i3.
### Proprietary Firmware (Microcode Updates)
Some Linux distributions (such as [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre)-based or DIY distros) dont come with the proprietary [microcode](https://en.wikipedia.org/wiki/Microcode) updates which patch critical security vulnerabilities. Some notable examples of these vulnerabilities include [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), and other [hardware vulnerabilities](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html).
Some Linux distributions (such as [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre)-based or DIY distros) dont come with the proprietary [microcode](https://en.wikipedia.org/wiki/Microcode) updates which patch critical security vulnerabilities. Some notable examples of these vulnerabilities include [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), and other [hardware vulnerabilities](https://kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html).
We **highly recommend** that you install microcode updates, as they contain important security patches for the CPU which can not be fully mitigated in software alone. Fedora and openSUSE both have the microcode updates applied by default.
@ -130,11 +130,11 @@ Additionally, some distributions will not download firmware updates automaticall
Many desktop Linux distributions (Fedora, openSUSE, etc.) come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager) to configure Ethernet and Wi-Fi settings.
It is possible to [randomize](https://fedoramagazine.org/randomize-mac-address-nm/) the [MAC address](https://en.wikipedia.org/wiki/MAC_address) when using NetworkManager. This provides a bit more privacy on Wi-Fi networks as it makes it harder to track specific devices on the network youre connected to. It does [**not**](https://papers.mathyvanhoef.com/wisec2016.pdf) make you anonymous.
It is possible to [randomize](https://fedoramagazine.org/randomize-mac-address-nm) the [MAC address](https://en.wikipedia.org/wiki/MAC_address) when using NetworkManager. This provides a bit more privacy on Wi-Fi networks as it makes it harder to track specific devices on the network youre connected to. It does [**not**](https://papers.mathyvanhoef.com/wisec2016.pdf) make you anonymous.
We recommend changing the setting to **random** instead of **stable**, as suggested in the [article](https://fedoramagazine.org/randomize-mac-address-nm/).
We recommend changing the setting to **random** instead of **stable**, as suggested in the [article](https://fedoramagazine.org/randomize-mac-address-nm).
If you are using [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components), you will need to set [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) which will enable [RFC 7844 (Anonymity Profiles for DHCP Clients)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=).
If you are using [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components), you will need to set [`MACAddressPolicy=random`](https://freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) which will enable [RFC 7844 (Anonymity Profiles for DHCP Clients)](https://freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=).
MAC address randomization is primarily beneficial for Wi-Fi connections. For Ethernet connections, randomizing your MAC address provides little (if any) benefit, because a network administrator can trivially identify your device by other means (such as inspecting the port you are connected to on the network switch). Randomizing Wi-Fi MAC addresses depends on support from the Wi-Fis firmware.
@ -150,6 +150,6 @@ There are other system identifiers which you may wish to be careful about. You s
The Fedora Project [counts](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) how many unique systems access its mirrors by using a [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) variable instead of a unique ID. Fedora does this to determine load and provision better servers for updates where necessary.
This [option](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) is currently off by default. We recommend adding `countme=false` to `/etc/dnf/dnf.conf` just in case it is enabled in the future. On systems that use `rpm-ostree` such as Silverblue, the countme option is disabled by masking the [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) timer.
This [option](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) is currently off by default. We recommend adding `countme=false` to `/etc/dnf/dnf.conf` just in case it is enabled in the future. On systems that use `rpm-ostree` such as Silverblue, the countme option is disabled by masking the [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems) timer.
openSUSE also uses a [unique ID](https://en.opensuse.org/openSUSE:Statistics) to count systems, which can be disabled by deleting the `/var/lib/zypp/AnonymousUniqueId` file.

8
docs/os/macos-overview.md
View File

@ -5,7 +5,7 @@ description: macOS is Apple's desktop operating system that works with their har
---
**macOS** is a Unix operating system developed by Apple for their Mac computers. To enhance privacy on macOS, you can disable telemetry features and harden existing privacy and security settings.
Older Intel-based Macs and Hackintoshes do not support all the security features that macOS offers. To enhance data security, we recommend using a newer Mac with [Apple silicon](https://support.apple.com/en-us/HT211814).
Older Intel-based Macs and Hackintoshes do not support all the security features that macOS offers. To enhance data security, we recommend using a newer Mac with [Apple silicon](https://support.apple.com/HT211814).
## Privacy Notes
@ -21,13 +21,13 @@ macOS performs online checks when you open an app to verify whether an app conta
Previously, these checks were performed via an unencrypted OCSP protocol which could leak information about the apps you ran to your network. Apple upgraded their OCSP service to use HTTPS encryption in 2021, and [posted information](https://support.apple.com/HT202491) about their logging policy for this service. They additionally promised to add a mechanism for people to opt-out of this online check, but this has not been added to macOS as of July 2023.
While you [can](https://eclecticlight.co/2021/02/23/how-to-run-apps-in-private/) manually opt out of this check relatively easily, we recommend against doing so unless you would be badly compromised by the revocation checks performed by macOS, because they serve an important role in ensuring compromised apps are blocked from running.
While you [can](https://eclecticlight.co/2021/02/23/how-to-run-apps-in-private) manually opt out of this check relatively easily, we recommend against doing so unless you would be badly compromised by the revocation checks performed by macOS, because they serve an important role in ensuring compromised apps are blocked from running.
## Recommended Configuration
Your account when you first set up your Mac will be an Administrator account, which has higher privileges than a Standard user account. macOS has a number of protections which prevent malware and other programs from abusing your Administrator privileges, so it is generally safe to use this account.
However, exploits in protective utilities like `sudo` have been [discovered in the past](https://bogner.sh/2014/03/another-mac-os-x-sudo-password-bypass/). If you want to avoid the possibility that programs you run abuse your Administrator privileges, you could consider creating a second, Standard user account which you use for day-to-day operations. This has the added benefit of making it more obvious when an app needs admin access, because it will prompt you for credentials every time.
However, exploits in protective utilities like `sudo` have been [discovered in the past](https://bogner.sh/2014/03/another-mac-os-x-sudo-password-bypass). If you want to avoid the possibility that programs you run abuse your Administrator privileges, you could consider creating a second, Standard user account which you use for day-to-day operations. This has the added benefit of making it more obvious when an app needs admin access, because it will prompt you for credentials every time.
If you do use a second account, it is not strictly required to ever log in to your original Administrator account from the macOS login screen. When you are doing something as a Standard user which requires Administrator permissions, the system should prompt you for authentication, where you can enter your Administrator credentials as your Standard user on a one-time basis. Apple provides [guidance](https://support.apple.com/HT203998) on hiding your Administrator account if you prefer to only see a single account on your login screen.
@ -127,7 +127,7 @@ On older Intel-based Mac computers, FileVault is the only form of disk encryptio
##### Lockdown Mode
[Lockdown Mode](https://blog.privacyguides.org/2022/10/27/macos-ventura-privacy-security-updates/#lockdown-mode) disables some features in order to improve security. Some apps or features won't work the same way they do when it's off, for example, [JIT](https://hacks.mozilla.org/2017/02/a-crash-course-in-just-in-time-jit-compilers/) and [WASM](https://developer.mozilla.org/en-US/docs/WebAssembly) are disabled in Safari with Lockdown Mode enabled. We recommend enabling Lockdown Mode and seeing whether it significantly impacts your usage, many of the changes it makes are easy to live with.
[Lockdown Mode](https://blog.privacyguides.org/2022/10/27/macos-ventura-privacy-security-updates/#lockdown-mode) disables some features in order to improve security. Some apps or features won't work the same way they do when it's off, for example, [JIT](https://hacks.mozilla.org/2017/02/a-crash-course-in-just-in-time-jit-compilers) and [WASM](https://developer.mozilla.org/docs/WebAssembly) are disabled in Safari with Lockdown Mode enabled. We recommend enabling Lockdown Mode and seeing whether it significantly impacts your usage, many of the changes it makes are easy to live with.
- [x] Click **Turn On**

18
docs/os/qubes-overview.md
View File

@ -3,11 +3,11 @@ title: "Qubes Overview"
icon: simple/qubesos
description: Qubes is an operating system built around isolating apps within *qubes* (formerly "VMs") for heightened security.
---
[**Qubes OS**](../desktop.md#qubes-os) is an open-source operating system which uses the [Xen](https://en.wikipedia.org/wiki/Xen) hypervisor to provide strong security for desktop computing through isolated *qubes*, (which are Virtual Machines). You can assign each *qube* a level of trust based on its purpose. Qubes OS provides security by using isolation. It only permits actions on a per-case basis and therefore is the opposite of [badness enumeration](https://www.ranum.com/security/computer_security/editorials/dumb/).
[**Qubes OS**](../desktop.md#qubes-os) is an open-source operating system which uses the [Xen](https://en.wikipedia.org/wiki/Xen) hypervisor to provide strong security for desktop computing through isolated *qubes*, (which are Virtual Machines). You can assign each *qube* a level of trust based on its purpose. Qubes OS provides security by using isolation. It only permits actions on a per-case basis and therefore is the opposite of [badness enumeration](https://ranum.com/security/computer_security/editorials/dumb).
## How does Qubes OS work?
Qubes uses [compartmentalization](https://www.qubes-os.org/intro/) to keep the system secure. Qubes are created from templates, the defaults being for Fedora, Debian and [Whonix](../desktop.md#whonix). Qubes OS also allows you to create once-use [disposable](https://www.qubes-os.org/doc/how-to-use-disposables/) *qubes*.
Qubes uses [compartmentalization](https://qubes-os.org/intro) to keep the system secure. Qubes are created from templates, the defaults being for Fedora, Debian and [Whonix](../desktop.md#whonix). Qubes OS also allows you to create once-use [disposable](https://qubes-os.org/doc/how-to-use-disposables) *qubes*.
<details class="note" markdown>
<summary>The term <em>qubes</em> is gradually being updated to avoid referring to them as "virtual machines".</summary>
@ -19,7 +19,7 @@ Some of the information here and on the Qubes OS documentation may contain confl
![Qubes architecture](../assets/img/qubes/qubes-trust-level-architecture.png)
<figcaption>Qubes Architecture, Credit: What is Qubes OS Intro</figcaption>
Each qube has a [colored border](https://www.qubes-os.org/screenshots/) that can help you keep track of the domain in which it runs. You could, for example, use a specific color for your banking browser, while using a different color for a general untrusted browser.
Each qube has a [colored border](https://qubes-os.org/screenshots) that can help you keep track of the domain in which it runs. You could, for example, use a specific color for your banking browser, while using a different color for a general untrusted browser.
![Colored border](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png)
<figcaption>Qubes window borders, Credit: Qubes Screenshots</figcaption>
@ -32,7 +32,7 @@ Qubes OS utilizes [dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM for contr
### Copying and Pasting Text
You can [copy and paste text](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) using `qvm-copy-to-vm` or the below instructions:
You can [copy and paste text](https://qubes-os.org/doc/how-to-copy-and-paste-text) using `qvm-copy-to-vm` or the below instructions:
1. Press **Ctrl+C** to tell the *qube* you're in that you want to copy something.
2. Press **Ctrl+Shift+C** to tell the *qube* to make this buffer available to the global clipboard.
@ -46,13 +46,13 @@ To copy and paste files and directories (folders) from one *qube* to another, yo
<details class="note" markdown>
<summary>Qubes do not have their own filesystems.</summary>
You can [copy and move files](https://www.qubes-os.org/doc/how-to-copy-and-move-files/) between *qubes*. When doing so the changes aren't immediately made and can be easily undone in case of an accident. When you run a *qube*, it does not have a persistent filesystem. You can create and delete files, but these changes are ephemeral.
You can [copy and move files](https://qubes-os.org/doc/how-to-copy-and-move-files) between *qubes*. When doing so the changes aren't immediately made and can be easily undone in case of an accident. When you run a *qube*, it does not have a persistent filesystem. You can create and delete files, but these changes are ephemeral.
</details>
### Inter-VM Interactions
The [qrexec framework](https://www.qubes-os.org/doc/qrexec/) is a core part of Qubes which allows communication between domains. It is built on top of the Xen library *vchan*, which facilitates [isolation through policies](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/).
The [qrexec framework](https://qubes-os.org/doc/qrexec) is a core part of Qubes which allows communication between domains. It is built on top of the Xen library *vchan*, which facilitates [isolation through policies](https://qubes-os.org/news/2020/06/22/new-qrexec-policy-system).
## Connecting to Tor via a VPN
@ -72,9 +72,9 @@ Your qubes should be configured in a manner similar to this:
## Additional Resources
For additional information we encourage you to consult the extensive Qubes OS documentation pages located on the [Qubes OS Website](https://www.qubes-os.org/doc/). Offline copies can be downloaded from the Qubes OS [documentation repository](https://github.com/QubesOS/qubes-doc).
For additional information we encourage you to consult the extensive Qubes OS documentation pages located on the [Qubes OS Website](https://qubes-os.org/doc). Offline copies can be downloaded from the Qubes OS [documentation repository](https://github.com/QubesOS/qubes-doc).
- [Arguably the world's most secure operating system](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) (Open Technology Fund)
- [Arguably the world's most secure operating system](https://opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard) (Open Technology Fund)
- [Software compartmentalization vs. physical separation](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) (J. Rutkowska)
- [Partitioning my digital life into security domains](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) (J. Rutkowska)
- [Related Articles](https://www.qubes-os.org/news/categories/#articles) (Qubes OS)
- [Related Articles](https://qubes-os.org/news/categories/#articles) (Qubes OS)

62
docs/passwords.md
View File

@ -65,7 +65,7 @@ schema:
"@type": SoftwareApplication
name: KeePassXC
image: /assets/img/password-management/keepassxc.svg
url: https://keepassxc.org/
url: https://keepassxc.org
sameAs: https://en.wikipedia.org/wiki/KeePassXC
applicationCategory: Password Manager
operatingSystem:
@ -81,7 +81,7 @@ schema:
"@type": SoftwareApplication
name: KeePassDX
image: /assets/img/password-management/keepassdx.svg
url: https://www.keepassdx.com/
url: https://keepassdx.com
applicationCategory: Password Manager
operatingSystem: Android
subjectOf:
@ -93,7 +93,7 @@ schema:
"@type": SoftwareApplication
name: Strongbox
image: /assets/img/password-management/strongbox.svg
url: https://strongboxsafe.com/
url: https://strongboxsafe.com
applicationCategory: Password Manager
operatingSystem: iOS
subjectOf:
@ -105,7 +105,7 @@ schema:
"@type": SoftwareApplication
name: gopass
image: /assets/img/password-management/gopass.svg
url: https://www.gopass.pw/
url: https://gopass.pw
applicationCategory: Password Manager
operatingSystem:
- Windows
@ -126,7 +126,7 @@ Password managers allow you to securely store and manage passwords and other cre
Built-in password managers in software like browsers and operating systems are sometimes not as good as dedicated password manager software. The advantage of a built-in password manager is good integration with the software, but it can often be very simple and lack privacy and security features standalone offerings have.
For example, the password manager in Microsoft Edge doesn't offer E2EE at all. Google's password manager has [optional](https://support.google.com/accounts/answer/11350823) E2EE, and [Apple's](https://support.apple.com/en-us/HT202303) offers E2EE by default.
For example, the password manager in Microsoft Edge doesn't offer E2EE at all. Google's password manager has [optional](https://support.google.com/accounts/answer/11350823) E2EE, and [Apple's](https://support.apple.com/HT202303) offers E2EE by default.
</div>
@ -144,14 +144,14 @@ These password managers sync your passwords to a cloud server for easy accessibi
[:octicons-home-16: Homepage](https://bitwarden.com){ .md-button .md-button--primary }
[:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://bitwarden.com/help/){ .card-link title=Documentation}
[:octicons-info-16:](https://bitwarden.com/help){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/bitwarden){ .card-link title="Source Code" }
<details class="downloads" markdown>
<summary>Downloads</summary>
- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden)
- [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744)
- [:simple-appstore: App Store](https://apps.apple.com/app/id1137397744)
- [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases)
- [:simple-windows11: Windows](https://bitwarden.com/download)
- [:simple-linux: Linux](https://bitwarden.com/download)
@ -164,7 +164,7 @@ These password managers sync your passwords to a cloud server for easy accessibi
</div>
Bitwarden also features [Bitwarden Send](https://bitwarden.com/products/send/), which allows you to share text and files securely with [end-to-end encryption](https://bitwarden.com/help/send-encryption). A [password](https://bitwarden.com/help/send-privacy/#send-passwords) can be required along with the send link. Bitwarden Send also features [automatic deletion](https://bitwarden.com/help/send-lifespan).
Bitwarden also features [Bitwarden Send](https://bitwarden.com/products/send), which allows you to share text and files securely with [end-to-end encryption](https://bitwarden.com/help/send-encryption). A [password](https://bitwarden.com/help/send-privacy/#send-passwords) can be required along with the send link. Bitwarden Send also features [automatic deletion](https://bitwarden.com/help/send-lifespan).
You need the [Premium Plan](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans) to be able to share files. The free plan only allows text sharing.
@ -183,20 +183,20 @@ Bitwarden's server-side code is [open source](https://github.com/bitwarden/serve
![1Password logo](assets/img/password-management/1password.svg){ align=right }
**1Password** is a password manager with a strong focus on security and ease-of-use, which allows you to store passwords, credit cards, software licenses, and any other sensitive information in a secure digital vault. Your vault is hosted on 1Password's servers for a [monthly fee](https://1password.com/sign-up/). 1Password is [audited](https://support.1password.com/security-assessments/) on a regular basis and provides exceptional customer support. 1Password is closed source; however, the security of the product is thoroughly documented in their [security white paper](https://1passwordstatic.com/files/security/1password-white-paper.pdf).
**1Password** is a password manager with a strong focus on security and ease-of-use, which allows you to store passwords, credit cards, software licenses, and any other sensitive information in a secure digital vault. Your vault is hosted on 1Password's servers for a [monthly fee](https://1password.com/sign-up). 1Password is [audited](https://support.1password.com/security-assessments) on a regular basis and provides exceptional customer support. 1Password is closed source; however, the security of the product is thoroughly documented in their [security white paper](https://1passwordstatic.com/files/security/1password-white-paper.pdf).
[:octicons-home-16: Homepage](https://1password.com/){ .md-button .md-button--primary }
[:octicons-eye-16:](https://1password.com/legal/privacy/){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://support.1password.com/){ .card-link title=Documentation}
[:octicons-home-16: Homepage](https://1password.com){ .md-button .md-button--primary }
[:octicons-eye-16:](https://1password.com/legal/privacy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://support.1password.com){ .card-link title=Documentation}
<details class="downloads" markdown>
<summary>Downloads</summary>
- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android)
- [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8)
- [:simple-windows11: Windows](https://1password.com/downloads/windows/)
- [:simple-apple: macOS](https://1password.com/downloads/mac/)
- [:simple-linux: Linux](https://1password.com/downloads/linux/)
- [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750)
- [:simple-windows11: Windows](https://1password.com/downloads/windows)
- [:simple-apple: macOS](https://1password.com/downloads/mac)
- [:simple-linux: Linux](https://1password.com/downloads/linux)
</details>
@ -225,7 +225,7 @@ One advantage 1Password has over Bitwarden is its first-class support for native
<summary>Downloads</summary>
- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono)
- [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224)
- [:simple-appstore: App Store](https://apps.apple.com/app/id1545581224)
- [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager)
- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo)
- [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client)
@ -276,9 +276,9 @@ These options allow you to manage an encrypted password database locally.
[:octicons-home-16: Homepage](https://keepassxc.org){ .md-button .md-button--primary }
[:octicons-eye-16:](https://keepassxc.org/privacy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://keepassxc.org/docs/){ .card-link title=Documentation}
[:octicons-info-16:](https://keepassxc.org/docs){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/keepassxreboot/keepassxc){ .card-link title="Source Code" }
[:octicons-heart-16:](https://keepassxc.org/donate/){ .card-link title=Contribute }
[:octicons-heart-16:](https://keepassxc.org/donate){ .card-link title=Contribute }
<details class="downloads" markdown>
<summary>Downloads</summary>
@ -304,10 +304,10 @@ KeePassXC stores its export data as [CSV](https://en.wikipedia.org/wiki/Comma-se
**KeePassDX** is a lightweight password manager for Android, allows editing encrypted data in a single file in KeePass format and can fill in the forms in a secure way. [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) allows unlocking cosmetic content and non-standard protocol features, but more importantly, it helps and encourages development.
[:octicons-home-16: Homepage](https://www.keepassdx.com){ .md-button .md-button--primary }
[:octicons-home-16: Homepage](https://keepassdx.com){ .md-button .md-button--primary }
[:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Source Code" }
[:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=Contribute }
[:octicons-heart-16:](https://keepassdx.com/#donation){ .card-link title=Contribute }
<details class="downloads" markdown>
<summary>Downloads</summary>
@ -325,24 +325,24 @@ KeePassXC stores its export data as [CSV](https://en.wikipedia.org/wiki/Comma-se
![Strongbox logo](assets/img/password-management/strongbox.svg){ align=right }
**Strongbox** is a native, open-source password manager for iOS and macOS. Supporting both KeePass and Password Safe formats, Strongbox can be used in tandem with other password managers, like KeePassXC, on non-Apple platforms. By employing a [freemium model](https://strongboxsafe.com/pricing/), Strongbox offers most features under its free tier with more convenience-oriented [features](https://strongboxsafe.com/comparison/)—such as biometric authentication—locked behind a subscription or perpetual license.
**Strongbox** is a native, open-source password manager for iOS and macOS. Supporting both KeePass and Password Safe formats, Strongbox can be used in tandem with other password managers, like KeePassXC, on non-Apple platforms. By employing a [freemium model](https://strongboxsafe.com/pricing), Strongbox offers most features under its free tier with more convenience-oriented [features](https://strongboxsafe.com/comparison)—such as biometric authentication—locked behind a subscription or perpetual license.
[:octicons-home-16: Homepage](https://strongboxsafe.com){ .md-button .md-button--primary }
[:octicons-eye-16:](https://strongboxsafe.com/privacy/){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://strongboxsafe.com/getting-started/){ .card-link title=Documentation}
[:octicons-eye-16:](https://strongboxsafe.com/privacy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://strongboxsafe.com/getting-started){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/strongbox-password-safe/Strongbox){ .card-link title="Source Code" }
[:octicons-heart-16:](https://github.com/strongbox-password-safe/Strongbox#supporting-development){ .card-link title=Contribute }
<details class="downloads" markdown>
<summary>Downloads</summary>
- [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731)
- [:simple-appstore: App Store](https://apps.apple.com/app/id897283731)
</details>
</div>
Additionally, there is an offline-only version offered: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). This version is stripped down in an attempt to reduce attack surface.
Additionally, there is an offline-only version offered: [Strongbox Zero](https://apps.apple.com/app/id1581589638). This version is stripped down in an attempt to reduce attack surface.
### Command-line
@ -356,7 +356,7 @@ These products are minimal password managers that can be used within scripting a
**gopass** is a password manager for the command line written in Go. It works on all major desktop and server operating systems (Linux, macOS, BSD, Windows).
[:octicons-home-16: Homepage](https://www.gopass.pw){ .md-button .md-button--primary }
[:octicons-home-16: Homepage](https://gopass.pw){ .md-button .md-button--primary }
[:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Source Code" }
[:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=Contribute }
@ -364,10 +364,10 @@ These products are minimal password managers that can be used within scripting a
<details class="downloads" markdown>
<summary>Downloads</summary>
- [:simple-windows11: Windows](https://www.gopass.pw/#install-windows)
- [:simple-apple: macOS](https://www.gopass.pw/#install-macos)
- [:simple-linux: Linux](https://www.gopass.pw/#install-linux)
- [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd)
- [:simple-windows11: Windows](https://gopass.pw/#install-windows)
- [:simple-apple: macOS](https://gopass.pw/#install-macos)
- [:simple-linux: Linux](https://gopass.pw/#install-linux)
- [:simple-freebsd: FreeBSD](https://gopass.pw/#install-bsd)
</details>

22
docs/photo-management.md
View File

@ -13,9 +13,9 @@ Most cloud photo management solutions like Google Photos, Flickr, and Amazon Pho
![ente logo](assets/img/photo-management/ente.svg#only-light){ align=right }
![ente logo](assets/img/photo-management/ente-dark.svg#only-dark){ align=right }
**ente** is an end-to-end encrypted photo backup service which supports automatic backups on iOS and Android. Their code is fully open-source, both on the client side and on the server side. It is [self-hostable](https://github.com/ente-io/ente/tree/main/server#self-hosting). It underwent an [audit by Cure53](https://ente.io/blog/cryptography-audit/) in March 2023 and by [Fallible](https://ente.io/reports/Fallible-Audit-Report-19-04-2023.pdf) in April 2023.
**ente** is an end-to-end encrypted photo backup service which supports automatic backups on iOS and Android. Their code is fully open-source, both on the client side and on the server side. It is [self-hostable](https://github.com/ente-io/ente/tree/main/server#self-hosting). It underwent an [audit by Cure53](https://ente.io/blog/cryptography-audit) in March 2023 and by [Fallible](https://ente.io/reports/Fallible-Audit-Report-19-04-2023.pdf) in April 2023.
[:octicons-home-16: Homepage](https://ente.io/){ .md-button .md-button--primary }
[:octicons-home-16: Homepage](https://ente.io){ .md-button .md-button--primary }
[:octicons-eye-16:](https://ente.io/privacy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://ente.io/faq){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/ente-io){ .card-link title="Source Code" }
@ -45,17 +45,17 @@ Most cloud photo management solutions like Google Photos, Flickr, and Amazon Pho
**Stingle** is a gallery and camera application with built-in, end-to-end encrypted backup and sync functionality for your photos and videos. Storage starts at 1GB for free accounts on their cloud, or you can host your own Stingle API server for total independence.
[:octicons-home-16: Homepage](https://stingle.org/){ .md-button .md-button--primary }
[:octicons-eye-16:](https://stingle.org/privacy/){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://stingle.org/faq/){ .card-link title=Documentation}
[:octicons-home-16: Homepage](https://stingle.org){ .md-button .md-button--primary }
[:octicons-eye-16:](https://stingle.org/privacy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://stingle.org/faq){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/stingle){ .card-link title="Source Code" }
<details class="downloads" markdown>
<summary>Downloads</summary>
- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.stingle.photos)
- [:simple-android: Android](https://f-droid.org/en/packages/org.stingle.photos/)
- [:simple-appstore: App Store](https://apps.apple.com/in/app/stingle-photos/id1582535448)
- [:simple-android: Android](https://f-droid.org/en/packages/org.stingle.photos)
- [:simple-appstore: App Store](https://apps.apple.com/app/id1582535448)
- [:simple-github: GitHub](https://github.com/stingle)
</details>
@ -68,11 +68,11 @@ Most cloud photo management solutions like Google Photos, Flickr, and Amazon Pho
![PhotoPrism logo](assets/img/photo-management/photoprism.svg){ align=right }
**PhotoPrism** is a self-hostable platform for managing photos. It supports album syncing and sharing as well as a variety of other [features](https://www.photoprism.app/features). It does not include E2EE, so it's best hosted on a server that you trust and is under your control.
**PhotoPrism** is a self-hostable platform for managing photos. It supports album syncing and sharing as well as a variety of other [features](https://photoprism.app/features). It does not include E2EE, so it's best hosted on a server that you trust and is under your control.
[:octicons-home-16: Homepage](https://www.photoprism.app){ .md-button .md-button--primary }
[:octicons-eye-16:](https://www.photoprism.app/privacy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://www.photoprism.app/kb){ .card-link title=Documentation}
[:octicons-home-16: Homepage](https://photoprism.app){ .md-button .md-button--primary }
[:octicons-eye-16:](https://photoprism.app/privacy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://photoprism.app/kb){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/photoprism){ .card-link title="Source Code" }
<details class="downloads" markdown>

38
docs/productivity.md
View File

@ -18,9 +18,9 @@ Most online office suites do not support E2EE, meaning the cloud provider has ac
[:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary }
[:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation}
[:octicons-info-16:](https://nextcloud.com/support){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" }
[:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute }
[:octicons-heart-16:](https://nextcloud.com/contribute){ .card-link title=Contribute }
<details class="downloads" markdown>
<summary>Downloads</summary>
@ -52,8 +52,8 @@ We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_e
**CryptPad** is a private-by-design alternative to popular office tools. All content on this web service is end-to-end encrypted and can be shared with other users easily.
[:octicons-home-16: Homepage](https://cryptpad.fr){ .md-button .md-button--primary }
[:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://docs.cryptpad.fr/){ .card-link title=Documentation}
[:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://docs.cryptpad.fr){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Source Code" }
[:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=Contribute }
@ -98,20 +98,20 @@ Our best-case criteria represents what we would like to see from the perfect pro
**LibreOffice** is a free and open-source office suite with extensive functionality.
[:octicons-home-16: Homepage](https://www.libreoffice.org){ .md-button .md-button--primary }
[:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Documentation}
[:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Source Code" }
[:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Contribute }
[:octicons-home-16: Homepage](https://libreoffice.org){ .md-button .md-button--primary }
[:octicons-eye-16:](https://libreoffice.org/about-us/privacy/privacy-policy-en){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation){ .card-link title=Documentation}
[:octicons-code-16:](https://libreoffice.org/about-us/source-code){ .card-link title="Source Code" }
[:octicons-heart-16:](https://libreoffice.org/donate){ .card-link title=Contribute }
<details class="downloads" markdown>
<summary>Downloads</summary>
- [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/)
- [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/)
- [:simple-windows11: Windows](https://www.libreoffice.org/download/download/)
- [:simple-apple: macOS](https://www.libreoffice.org/download/download/)
- [:simple-linux: Linux](https://www.libreoffice.org/download/download/)
- [:simple-googleplay: Google Play](https://libreoffice.org/download/android-and-ios)
- [:simple-appstore: App Store](https://libreoffice.org/download/android-and-ios)
- [:simple-windows11: Windows](https://libreoffice.org/download/download)
- [:simple-apple: macOS](https://libreoffice.org/download/download)
- [:simple-linux: Linux](https://libreoffice.org/download/download)
- [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice)
</details>
@ -126,7 +126,7 @@ Our best-case criteria represents what we would like to see from the perfect pro
**OnlyOffice** is a cloud-based free and open-source office suite with extensive functionality, including integration with Nextcloud.
[:octicons-home-16: Homepage](https://www.onlyoffice.com){ .md-button .md-button--primary }
[:octicons-home-16: Homepage](https://onlyoffice.com){ .md-button .md-button--primary }
[:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Source Code" }
@ -136,9 +136,9 @@ Our best-case criteria represents what we would like to see from the perfect pro
- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents)
- [:simple-appstore: App Store](https://apps.apple.com/app/id944896972)
- [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx)
- [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx)
- [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx)
- [:simple-windows11: Windows](https://onlyoffice.com/download-desktop.aspx)
- [:simple-apple: macOS](https://onlyoffice.com/download-desktop.aspx)
- [:simple-linux: Linux](https://onlyoffice.com/download-desktop.aspx)
- [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors)
</details>
@ -175,7 +175,7 @@ In general, we define office suites as applications which could reasonably act a
**PrivateBin** is a minimalist, open-source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256-bit AES. It is the improved version of ZeroBin.
[:octicons-home-16: Homepage](https://privatebin.info){ .md-button .md-button--primary }
[:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="Public Instances"}
[:octicons-server-16:](https://privatebin.info/directory){ .card-link title="Public Instances"}
[:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Source Code" }

50
docs/real-time-communication.md
View File

@ -22,18 +22,18 @@ These messengers are great for securing your sensitive communications.
**Signal** is a mobile app developed by Signal Messenger LLC. The app provides instant messaging and calls secured with the Signal Protocol, an extremely secure encryption protocol which supports forward secrecy[^1] and post-compromise security.[^2]
[:octicons-home-16: Homepage](https://signal.org/){ .md-button .md-button--primary }
[:octicons-home-16: Homepage](https://signal.org){ .md-button .md-button--primary }
[:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://support.signal.org/hc/en-us){ .card-link title=Documentation}
[:octicons-info-16:](https://support.signal.org){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/signalapp){ .card-link title="Source Code" }
[:octicons-heart-16:](https://signal.org/donate/){ .card-link title=Contribute }
[:octicons-heart-16:](https://signal.org/donate){ .card-link title=Contribute }
<details class="downloads" markdown>
<summary>Downloads</summary>
- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms)
- [:simple-appstore: App Store](https://apps.apple.com/app/id874139669)
- [:simple-android: Android](https://signal.org/android/apk/)
- [:simple-android: Android](https://signal.org/android/apk)
- [:simple-windows11: Windows](https://signal.org/download/windows)
- [:simple-apple: macOS](https://signal.org/download/macos)
- [:simple-linux: Linux](https://signal.org/download/linux)
@ -53,13 +53,13 @@ Signal requires your phone number for registration, however you should create a
You can optionally change the **Who Can Find Me By Number** setting to **Nobody** as well, if you want to prevent people who already have your phone number from discovering your Signal account/username.
Contact lists on Signal are encrypted using your Signal PIN and the server does not have access to them. Personal profiles are also encrypted and only shared with contacts you chat with. Signal supports [private groups](https://signal.org/blog/signal-private-group-system/), where the server has no record of your group memberships, group titles, group avatars, or group attributes. Signal has minimal metadata when [Sealed Sender](https://signal.org/blog/sealed-sender/) is enabled. The sender address is encrypted along with the message body, and only the recipient address is visible to the server. Sealed Sender is only enabled for people in your contacts list, but can be enabled for all recipients with the increased risk of receiving spam.
Contact lists on Signal are encrypted using your Signal PIN and the server does not have access to them. Personal profiles are also encrypted and only shared with contacts you chat with. Signal supports [private groups](https://signal.org/blog/signal-private-group-system), where the server has no record of your group memberships, group titles, group avatars, or group attributes. Signal has minimal metadata when [Sealed Sender](https://signal.org/blog/sealed-sender) is enabled. The sender address is encrypted along with the message body, and only the recipient address is visible to the server. Sealed Sender is only enabled for people in your contacts list, but can be enabled for all recipients with the increased risk of receiving spam.
The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf) in 2016. The specification for the Signal protocol can be found in their [documentation](https://signal.org/docs/).
The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf) in 2016. The specification for the Signal protocol can be found in their [documentation](https://signal.org/docs).
We have some additional tips on configuring and hardening your Signal installation:
[Signal Configuration and Hardening :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/)
[Signal Configuration and Hardening :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening)
### SimpleX Chat
@ -78,7 +78,7 @@ We have some additional tips on configuring and hardening your Signal installati
<summary>Downloads</summary>
- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=chat.simplex.app)
- [:simple-appstore: App Store](https://apps.apple.com/us/app/simplex-chat/id1605771084)
- [:simple-appstore: App Store](https://apps.apple.com/app/id1605771084)
- [:simple-github: GitHub](https://github.com/simplex-chat/simplex-chat/releases)
- [:simple-windows11: Windows](https://simplex.chat/downloads/#desktop-app)
- [:simple-apple: macOS](https://simplex.chat/downloads/#desktop-app)
@ -98,20 +98,20 @@ SimpleX Chat supports basic group chatting functionality, direct messaging, and
![Briar logo](assets/img/messengers/briar.svg){ align=right }
**Briar** is an encrypted instant messenger that [connects](https://briarproject.org/how-it-works/) to other clients using the Tor Network. Briar can also connect via Wi-Fi or Bluetooth when in local proximity. Briars local mesh mode can be useful when internet availability is a problem.
**Briar** is an encrypted instant messenger that [connects](https://briarproject.org/how-it-works) to other clients using the Tor Network. Briar can also connect via Wi-Fi or Bluetooth when in local proximity. Briars local mesh mode can be useful when internet availability is a problem.
[:octicons-home-16: Homepage](https://briarproject.org/){ .md-button .md-button--primary }
[:octicons-eye-16:](https://briarproject.org/privacy-policy/){ .card-link title="Privacy Policy" }
[:octicons-home-16: Homepage](https://briarproject.org){ .md-button .md-button--primary }
[:octicons-eye-16:](https://briarproject.org/privacy-policy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://code.briarproject.org/briar/briar/-/wikis/home){ .card-link title=Documentation}
[:octicons-code-16:](https://code.briarproject.org/briar/briar){ .card-link title="Source Code" }
[:octicons-heart-16:](https://briarproject.org/){ .card-link title="Donation options are listed on the bottom of the homepage" }
[:octicons-heart-16:](https://briarproject.org){ .card-link title="Donation options are listed on the bottom of the homepage" }
<details class="downloads" markdown>
<summary>Downloads</summary>
- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android)
- [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop/)
- [:simple-linux: Linux](https://briarproject.org/download-briar-desktop/)
- [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop)
- [:simple-linux: Linux](https://briarproject.org/download-briar-desktop)
- [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar)
</details>
@ -120,7 +120,7 @@ SimpleX Chat supports basic group chatting functionality, direct messaging, and
To add a contact on Briar, you must both add each other first. You can either exchange `briar://` links or scan a contacts QR code if they are nearby.
The client software was independently [audited](https://briarproject.org/news/2017-beta-released-security-audit/), and the anonymous routing protocol uses the Tor network which has also been audited.
The client software was independently [audited](https://briarproject.org/news/2017-beta-released-security-audit), and the anonymous routing protocol uses the Tor network which has also been audited.
Briar has a fully [published specification](https://code.briarproject.org/briar/briar-spec).
@ -141,11 +141,11 @@ These messengers do not have forward secrecy[^1], and while they fulfill certain
![Element logo](assets/img/messengers/element.svg){ align=right }
**Element** is the reference [client](https://matrix.org/ecosystem/clients/) for the [Matrix](https://matrix.org/docs/guides/introduction) protocol, an [open standard](https://matrix.org/docs/spec) for secure decentralized real-time communication.
**Element** is the reference [client](https://matrix.org/ecosystem/clients) for the [Matrix](https://matrix.org/docs/chat_basics/matrix-for-im) protocol, an [open standard](https://spec.matrix.org/latest) for secure decentralized real-time communication.
Messages and files shared in private rooms (those which require an invite) are by default E2EE as are one to one voice and video calls.
[:octicons-home-16: Homepage](https://element.io/){ .md-button .md-button--primary }
[:octicons-home-16: Homepage](https://element.io){ .md-button .md-button--primary }
[:octicons-eye-16:](https://element.io/privacy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://element.io/help){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/element-hq){ .card-link title="Source Code" }
@ -154,11 +154,11 @@ Messages and files shared in private rooms (those which require an invite) are b
<summary>Downloads</summary>
- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app)
- [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067)
- [:simple-github: GitHub](https://github.com/vector-im/element-android/releases)
- [:simple-windows11: Windows](https://element.io/get-started)
- [:simple-apple: macOS](https://element.io/get-started)
- [:simple-linux: Linux](https://element.io/get-started)
- [:simple-appstore: App Store](https://apps.apple.com/app/id1083446067)
- [:simple-github: GitHub](https://github.com/element-hq/element-android/releases)
- [:simple-windows11: Windows](https://element.io/download)
- [:simple-apple: macOS](https://element.io/download)
- [:simple-linux: Linux](https://element.io/download)
- [:octicons-globe-16: Web](https://app.element.io)
</details>
@ -171,7 +171,7 @@ Group voice and video calls are [not](https://github.com/vector-im/element-web/i
The Matrix protocol itself [theoretically supports forward secrecy](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#partial-forward-secrecy)[^1], however this is [not currently supported in Element](https://github.com/vector-im/element-web/issues/7101) due to it breaking some aspects of the user experience such as key backups and shared message history.
The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm cryptographic ratchet](https://matrix.org/docs/matrix-concepts/end-to-end-encryption/) used by Matrix is an implementation of Signals [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/).
The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest). The [Olm cryptographic ratchet](https://matrix.org/docs/matrix-concepts/end-to-end-encryption) used by Matrix is an implementation of Signals [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet).
### Session
@ -181,9 +181,9 @@ The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matr
**Session** is a decentralized messenger with a focus on private, secure, and anonymous communications. Session offers support for direct messages, group chats, and voice calls.
Session uses the decentralized [Oxen Service Node Network](https://oxen.io/) to store and route messages. Every encrypted message is routed through three nodes in the Oxen Service Node Network, making it virtually impossible for the nodes to compile meaningful information on those using the network.
Session uses the decentralized [Oxen Service Node Network](https://oxen.io) to store and route messages. Every encrypted message is routed through three nodes in the Oxen Service Node Network, making it virtually impossible for the nodes to compile meaningful information on those using the network.
[:octicons-home-16: Homepage](https://getsession.org/){ .md-button .md-button--primary }
[:octicons-home-16: Homepage](https://getsession.org){ .md-button .md-button--primary }
[:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://getsession.org/faq){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/oxen-io){ .card-link title="Source Code" }

4
docs/router.md
View File

@ -34,10 +34,10 @@ You can consult OpenWrt's [table of hardware](https://openwrt.org/toh/start) to
**OPNsense** is an open-source, FreeBSD-based firewall and routing platform which incorporates many advanced features such as traffic shaping, load balancing, and VPN capabilities, with many more features available in the form of plugins. OPNsense is commonly deployed as a perimeter firewall, router, wireless access point, DHCP server, DNS server, and VPN endpoint.
[:octicons-home-16: Homepage](https://opnsense.org/){ .md-button .md-button--primary }
[:octicons-home-16: Homepage](https://opnsense.org){ .md-button .md-button--primary }
[:octicons-info-16:](https://docs.opnsense.org/index.html){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/opnsense){ .card-link title="Source Code" }
[:octicons-heart-16:](https://opnsense.org/donate/){ .card-link title=Contribute }
[:octicons-heart-16:](https://opnsense.org/donate){ .card-link title=Contribute }
</details>

24
docs/search-engines.md
View File

@ -9,7 +9,7 @@ Use a search engine that doesn't build an advertising profile based on your sear
The recommendations here are based on the merits of each service's privacy policy. There is **no guarantee** that these privacy policies are honored.
Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org/) if your threat model requires hiding your IP address from the search provider.
Consider using a [VPN](vpn.md) or [Tor](tor.md) if your threat model requires hiding your IP address from the search provider.
## Brave Search
@ -23,7 +23,7 @@ Brave Search includes unique features such as Discussions, which highlights conv
We recommend you disable [Anonymous usage metrics](https://search.brave.com/help/usage-metrics) as it is enabled by default and can be disabled within settings.
[:octicons-home-16: Homepage](https://search.brave.com/){ .md-button .md-button--primary }
[:octicons-home-16: Homepage](https://search.brave.com){ .md-button .md-button--primary }
[:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" }
[:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://search.brave.com/help){ .card-link title=Documentation}
@ -40,14 +40,14 @@ Brave Search is based in the United States. Their [privacy policy](https://searc
![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ align=right }
**DuckDuckGo** is one of the more mainstream private search engine options. Notable DuckDuckGo search features include [bangs](https://duckduckgo.com/bang) and many [instant answers](https://help.duckduckgo.com/duckduckgo-help-pages/features/instant-answers-and-other-features/). The search engine relies on a commercial Bing API to serve most results, but it does use numerous [other sources](https://help.duckduckgo.com/results/sources/) for instant answers and other non-primary results.
**DuckDuckGo** is one of the more mainstream private search engine options. Notable DuckDuckGo search features include [bangs](https://duckduckgo.com/bang) and many [instant answers](https://help.duckduckgo.com/duckduckgo-help-pages/features/instant-answers-and-other-features). The search engine relies on a commercial Bing API to serve most results, but it does use numerous [other sources](https://help.duckduckgo.com/results/sources) for instant answers and other non-primary results.
DuckDuckGo is the default search engine for the Tor Browser and is one of the few available options on Apples Safari browser.
[:octicons-home-16: Homepage](https://duckduckgo.com){ .md-button .md-button--primary }
[:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Onion Service" }
[:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://help.duckduckgo.com/){ .card-link title=Documentation}
[:octicons-info-16:](https://help.duckduckgo.com){ .card-link title=Documentation}
</details>
@ -55,7 +55,7 @@ DuckDuckGo is the default search engine for the Tor Browser and is one of the fe
DuckDuckGo is based in the United States. Their [privacy policy](https://duckduckgo.com/privacy) states they **do** log your searches for product improvement purposes, but not your IP address or any other personally identifying information.
DuckDuckGo offers two [other versions](https://help.duckduckgo.com/features/non-javascript/) of their search engine, both of which do not require JavaScript. These versions do lack features, however. These versions can also be used in conjunction with their [Tor onion address](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/) by appending [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) or [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) for the respective version.
DuckDuckGo offers two [other versions](https://help.duckduckgo.com/features/non-javascript) of their search engine, both of which do not require JavaScript. These versions do lack features, however. These versions can also be used in conjunction with their [Tor onion address](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion) by appending [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) or [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) for the respective version.
## SearXNG
@ -66,7 +66,7 @@ DuckDuckGo offers two [other versions](https://help.duckduckgo.com/features/non-
**SearXNG** is an open-source, self-hostable, metasearch engine, aggregating the results of other search engines while not storing any information itself. It is an actively maintained fork of [SearX](https://github.com/searx/searx).
[:octicons-home-16: Homepage](https://searxng.org){ .md-button .md-button--primary }
[:octicons-server-16:](https://searx.space/){ .card-link title="Public Instances"}
[:octicons-server-16:](https://searx.space){ .card-link title="Public Instances"}
[:octicons-code-16:](https://github.com/searxng/searxng){ .card-link title="Source Code" }
</details>
@ -86,11 +86,11 @@ When you are using a SearXNG instance, be sure to go read their privacy policy.
![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ align=right }
![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right }
**Startpage** is a private search engine known for serving [Google and Bing](https://support.startpage.com/hc/en-us/articles/4522435533844-What-is-the-relationship-between-Startpage-and-your-search-partners-like-Google-and-Microsoft-Bing-) search results. One of Startpage's unique features is the [Anonymous View](https://www.startpage.com/en/anonymous-view/), which puts forth efforts to standardize user activity to make it more difficult to be uniquely identified. The feature can be useful for hiding [some](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) network and browser properties. Unlike the name suggests, the feature should not be relied upon for anonymity. If you are looking for anonymity, use the [Tor Browser](tor.md#tor-browser) instead.
**Startpage** is a private search engine known for serving [Google and Bing](https://support.startpage.com/hc/articles/4522435533844-What-is-the-relationship-between-Startpage-and-your-search-partners-like-Google-and-Microsoft-Bing) search results. One of Startpage's unique features is the [Anonymous View](https://startpage.com/en/anonymous-view), which puts forth efforts to standardize user activity to make it more difficult to be uniquely identified. The feature can be useful for hiding [some](https://support.startpage.com/hc/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) network and browser properties. Unlike the name suggests, the feature should not be relied upon for anonymity. If you are looking for anonymity, use the [Tor Browser](tor.md#tor-browser) instead.
[:octicons-home-16: Homepage](https://www.startpage.com){ .md-button .md-button--primary }
[:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentation}
[:octicons-home-16: Homepage](https://startpage.com){ .md-button .md-button--primary }
[:octicons-eye-16:](https://startpage.com/en/privacy-policy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://support.startpage.com/hc/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentation}
</details>
@ -103,9 +103,9 @@ Startpage regularly limits service access to certain IP addresses, such as IPs r
</div>
Startpage is based in the Netherlands. According to their [privacy policy](https://www.startpage.com/en/privacy-policy/), they log details such as: operating system, type of browser, and language. They do not log your IP address, search queries, or other personally identifying information.
Startpage is based in the Netherlands. According to their [privacy policy](https://startpage.com/en/privacy-policy), they log details such as: operating system, type of browser, and language. They do not log your IP address, search queries, or other personally identifying information.
Startpage's majority shareholder is System1 who is an adtech company. We don't believe that to be an issue as they have a distinctly separate [privacy policy](https://system1.com/terms/privacy-policy). The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) to clear up any concerns with System1's sizeable investment into the service. We were satisfied with the answers we received.
Startpage's majority shareholder is System1 who is an adtech company. We don't believe that to be an issue as they have a distinctly separate [privacy policy](https://system1.com/terms/privacy-policy). The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage) to clear up any concerns with System1's sizeable investment into the service. We were satisfied with the answers we received.
## Criteria

4
docs/tools.md
View File

@ -9,7 +9,7 @@ description: Privacy Guides is the most transparent and reliable website for fin
If you're looking for a specific solution to something, these are the hardware and software tools we recommend in a variety of categories. Our recommended privacy tools are primarily chosen based on security features, with additional emphasis on decentralized and open-source tools. They are applicable to a variety of threat models ranging from protection against global mass surveillance programs and avoiding big tech companies to mitigating attacks, but only you can determine what will work best for your needs.
If you want assistance figuring out the best privacy tools and alternative programs for your needs, start a discussion on our [forum](https://discuss.privacyguides.net/) or our [Matrix](https://matrix.to/#/#privacyguides:matrix.org) community!
If you want assistance figuring out the best privacy tools and alternative programs for your needs, start a discussion on our [forum](https://discuss.privacyguides.net) or our [Matrix](https://matrix.to/#/#privacyguides:matrix.org) community!
For more details about each project, why they were chosen, and additional tips or tricks we recommend, click the "Learn more" link in each section, or click on the recommendation itself to be taken to that specific section of the page.
@ -89,7 +89,7 @@ For more details about each project, why they were chosen, and additional tips o
#### DNS Providers
We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers based on a variety of criteria, such as [Mullvad](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) and [Quad9](https://quad9.net/) amongst others. We recommend for you to read our pages on DNS before choosing a provider. In many cases, using an alternative DNS provider is not recommended.
We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers based on a variety of criteria, such as [Mullvad](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) and [Quad9](https://quad9.net) amongst others. We recommend for you to read our pages on DNS before choosing a provider. In many cases, using an alternative DNS provider is not recommended.
[Learn more :material-arrow-right-drop-circle:](dns.md)

36
docs/tor.md
View File

@ -10,7 +10,7 @@ schema:
"@type": SoftwareApplication
name: Tor Browser
image: /assets/img/browsers/tor.svg
url: https://www.torproject.org
url: https://torproject.org
sameAs: https://en.wikipedia.org/wiki/Tor_(network)
applicationCategory: Web Browser
operatingSystem:
@ -27,11 +27,11 @@ schema:
The **Tor** network is a group of volunteer-operated servers that allows you to connect for free and improve your privacy and security on the Internet. Individuals and organizations can also share information over the Tor network with ".onion hidden services" without compromising their privacy. Because Tor traffic is difficult to block and trace, Tor is an effective censorship circumvention tool.
[:octicons-home-16:](https://www.torproject.org){ .card-link title=Homepage }
[:octicons-home-16:](https://torproject.org){ .card-link title=Homepage }
[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" }
[:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation}
[:octicons-info-16:](https://tb-manual.torproject.org){ .card-link title=Documentation}
[:octicons-code-16:](https://gitlab.torproject.org/tpo/core/tor){ .card-link title="Source Code" }
[:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute }
[:octicons-heart-16:](https://donate.torproject.org){ .card-link title=Contribute }
Tor works by routing your internet traffic through those volunteer-operated servers, instead of making a direct connection to the site you're trying to visit. This obfuscates where the traffic is coming from, and no server in the connection path is able to see the full path of where the traffic is coming from and going to, meaning even the servers you are using to connect cannot break your anonymity.
@ -60,20 +60,20 @@ If more complete anonymity is paramount to your situation, you should **only** b
**Tor Browser** is the choice if you need anonymity, as it provides you with access to the Tor network and bridges, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*.
[:octicons-home-16: Homepage](https://www.torproject.org){ .md-button .md-button--primary }
[:octicons-home-16: Homepage](https://torproject.org){ .md-button .md-button--primary }
[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" }
[:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation }
[:octicons-info-16:](https://tb-manual.torproject.org){ .card-link title=Documentation }
[:octicons-code-16:](https://gitlab.torproject.org/tpo/applications/tor-browser){ .card-link title="Source Code" }
[:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute }
[:octicons-heart-16:](https://donate.torproject.org){ .card-link title=Contribute }
<details class="downloads" markdown>
<summary>Downloads</summary>
- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser)
- [:simple-android: Android](https://www.torproject.org/download/#android)
- [:simple-windows11: Windows](https://www.torproject.org/download/)
- [:simple-apple: macOS](https://www.torproject.org/download/)
- [:simple-linux: Linux](https://www.torproject.org/download/)
- [:simple-android: Android](https://torproject.org/download/#android)
- [:simple-windows11: Windows](https://torproject.org/download)
- [:simple-apple: macOS](https://torproject.org/download)
- [:simple-linux: Linux](https://torproject.org/download)
</details>
@ -86,7 +86,7 @@ You should **never** install any additional extensions on Tor Browser or edit `a
</div>
The Tor Browser is designed to prevent fingerprinting, or identifying you based on your browser configuration. Therefore, it is imperative that you do **not** modify the browser beyond the default [security levels](https://tb-manual.torproject.org/security-settings/).
The Tor Browser is designed to prevent fingerprinting, or identifying you based on your browser configuration. Therefore, it is imperative that you do **not** modify the browser beyond the default [security levels](https://tb-manual.torproject.org/security-settings).
In addition to installing Tor Browser on your computer directly, there are also operating systems designed specifically to connect to the Tor network such as [Whonix](desktop.md#whonix) on [Qubes OS](desktop.md#qubes-os), which provide even greater security and protections than the standard Tor Browser alone.
@ -98,7 +98,7 @@ In addition to installing Tor Browser on your computer directly, there are also
**Orbot** is a free Tor VPN for smartphones which routes traffic from any app on your device through the Tor network.
[:octicons-home-16: Homepage](https://orbot.app/){ .md-button .md-button--primary }
[:octicons-home-16: Homepage](https://orbot.app){ .md-button .md-button--primary }
[:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://orbot.app/faqs){ .card-link title=Documentation}
[:octicons-code-16:](https://orbot.app/code){ .card-link title="Source Code" }
@ -108,7 +108,7 @@ In addition to installing Tor Browser on your computer directly, there are also
<summary>Downloads</summary>
- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android)
- [:simple-appstore: App Store](https://apps.apple.com/us/app/orbot/id1609461599)
- [:simple-appstore: App Store](https://apps.apple.com/app/id1609461599)
- [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases)
</details>
@ -134,7 +134,7 @@ All versions are signed using the same signature so they should be compatible wi
![Onion Browser logo](assets/img/self-contained-networks/onion_browser.svg){ align=right }
**Onion Browser** is an open-source browser that lets you browse the web anonymously over the Tor network on iOS devices and is endorsed by the [Tor Project](https://support.torproject.org/glossary/onion-browser/).
**Onion Browser** is an open-source browser that lets you browse the web anonymously over the Tor network on iOS devices and is endorsed by the [Tor Project](https://support.torproject.org/glossary/onion-browser).
[:octicons-home-16: Homepage](https://onionbrowser.com){ .md-button .md-button--primary }
[:octicons-eye-16:](https://onionbrowser.com/privacy-policy){ .card-link title="Privacy Policy" }
@ -164,10 +164,10 @@ All versions are signed using the same signature so they should be compatible wi
People who are censored can use Snowflake proxies to connect to the Tor network. Snowflake is a great way to contribute to the network even if you don't have the technical know-how to run a Tor relay or bridge.
[:octicons-home-16: Homepage](https://snowflake.torproject.org/){ .md-button .md-button--primary }
[:octicons-home-16: Homepage](https://snowflake.torproject.org){ .md-button .md-button--primary }
[:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview){ .card-link title=Documentation}
[:octicons-code-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake){ .card-link title="Source Code" }
[:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute }
[:octicons-heart-16:](https://donate.torproject.org){ .card-link title=Contribute }
</details>
@ -181,4 +181,4 @@ Snowflake does not increase your privacy in any way, nor is it used to connect t
Running a Snowflake proxy is low-risk, even moreso than running a Tor relay or bridge which are already not particularly risky endeavours. However, it does still proxy traffic through your network which can be impactful in some ways, especially if your network is bandwidth-limited. Make sure you understand [how Snowflake works](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) before deciding whether to run a proxy.
[^1]: The `IsolateDestAddr` setting is discussed on the [Tor mailing list](https://lists.torproject.org/pipermail/tor-talk/2012-May/024403.html) and [Whonix's Stream Isolation documentation](https://www.whonix.org/wiki/Stream_Isolation), where both projects suggest that it is usually not a good approach for most people.
[^1]: The `IsolateDestAddr` setting is discussed on the [Tor mailing list](https://lists.torproject.org/pipermail/tor-talk/2012-May/024403.html) and [Whonix's Stream Isolation documentation](https://whonix.org/wiki/Stream_Isolation), where both projects suggest that it is usually not a good approach for most people.

88
docs/vpn.md
View File

@ -25,7 +25,7 @@ If you are looking for **anonymity**, you should use the Tor Browser.
If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices.
[Download Tor](https://www.torproject.org/){ .md-button .md-button--primary } [Tor Myths & FAQ](advanced/tor-overview.md){ .md-button }
[Download Tor](https://torproject.org){ .md-button .md-button--primary } [Tor Myths & FAQ](advanced/tor-overview.md){ .md-button }
</div>
@ -43,19 +43,19 @@ Our recommended providers use encryption, accept Monero, support WireGuard & Ope
**Proton VPN** is a strong contender in the VPN space, and they have been in operation since 2016. Proton AG is based in Switzerland and offers a limited free tier, as well as a more featured premium option.
[:octicons-home-16: Homepage](https://protonvpn.com/){ .md-button .md-button--primary }
[:octicons-home-16: Homepage](https://protonvpn.com){ .md-button .md-button--primary }
[:octicons-eye-16:](https://protonvpn.com/privacy-policy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://protonvpn.com/support/){ .card-link title=Documentation}
[:octicons-info-16:](https://protonvpn.com/support){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/ProtonVPN){ .card-link title="Source Code" }
<details class="downloads" markdown>
<summary>Downloads</summary>
- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android)
- [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1437005085)
- [:simple-appstore: App Store](https://apps.apple.com/app/id1437005085)
- [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases)
- [:simple-windows11: Windows](https://protonvpn.com/download-windows)
- [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup/)
- [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup)
</details>
@ -72,7 +72,7 @@ We also think it's better for the security of the VPN provider's private keys if
#### :material-check:{ .pg-green } Independently Audited
As of January 2020, Proton VPN has undergone an independent audit by SEC Consult. SEC Consult found some medium and low risk vulnerabilities in Proton VPN's Windows, Android, and iOS applications, all of which were "properly fixed" by Proton VPN before the reports were published. None of the issues identified would have provided an attacker remote access to your device or traffic. You can view individual reports for each platform at [protonvpn.com](https://protonvpn.com/blog/open-source/). In April 2022 Proton VPN underwent [another audit](https://protonvpn.com/blog/no-logs-audit/) and the report was [produced by Securitum](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf). A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton VPN's apps on 9th November 2021 by [Securitum](https://research.securitum.com).
As of January 2020, Proton VPN has undergone an independent audit by SEC Consult. SEC Consult found some medium and low risk vulnerabilities in Proton VPN's Windows, Android, and iOS applications, all of which were "properly fixed" by Proton VPN before the reports were published. None of the issues identified would have provided an attacker remote access to your device or traffic. You can view individual reports for each platform at [protonvpn.com](https://protonvpn.com/blog/open-source). In April 2022 Proton VPN underwent [another audit](https://protonvpn.com/blog/no-logs-audit) and the report was [produced by Securitum](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf). A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton VPN's apps on 9th November 2021 by [Securitum](https://research.securitum.com).
#### :material-check:{ .pg-green } Open-Source Clients
@ -84,31 +84,31 @@ Proton VPN, in addition to accepting credit/debit cards, PayPal, and [Bitcoin](a
#### :material-check:{ .pg-green } WireGuard Support
Proton VPN mostly supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant.
Proton VPN mostly supports the WireGuard® protocol. [WireGuard](https://wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://wireguard.com/protocol). Additionally, WireGuard aims to be simpler and more performant.
Proton VPN [recommends](https://protonvpn.com/blog/wireguard/) the use of WireGuard with their service. On Proton VPN's Windows, macOS, iOS, Android, ChromeOS, and Android TV apps, WireGuard is the default protocol; however, [support](https://protonvpn.com/support/how-to-change-vpn-protocols/) for the protocol is not present in their Linux app.
Proton VPN [recommends](https://protonvpn.com/blog/wireguard) the use of WireGuard with their service. On Proton VPN's Windows, macOS, iOS, Android, ChromeOS, and Android TV apps, WireGuard is the default protocol; however, [support](https://protonvpn.com/support/how-to-change-vpn-protocols) for the protocol is not present in their Linux app.
#### :material-alert-outline:{ .pg-orange } Remote Port Forwarding
Proton VPN currently only supports ephemeral remote [port forwarding](https://protonvpn.com/support/port-forwarding/) via NAT-PMP, with 60 second lease times. The Windows app provides an easy to access option for it, while on other operating systems you'll need to run your own [NAT-PMP client](https://protonvpn.com/support/port-forwarding-manual-setup/). Torrent applications often support NAT-PMP natively.
Proton VPN currently only supports ephemeral remote [port forwarding](https://protonvpn.com/support/port-forwarding) via NAT-PMP, with 60 second lease times. The Windows app provides an easy to access option for it, while on other operating systems you'll need to run your own [NAT-PMP client](https://protonvpn.com/support/port-forwarding-manual-setup). Torrent applications often support NAT-PMP natively.
#### :material-information-outline:{ .pg-orange } Censorship Circumvention
Proton VPN has their [Stealth](https://protonvpn.com/blog/stealth-vpn-protocol/) protocol which *may* help in situations where VPN protocols like OpenVPN or Wireguard are blocked with various rudimentary techniques. Stealth encapsulates the VPN tunnel in TLS session in order to look like more generic internet traffic.
Proton VPN has their [Stealth](https://protonvpn.com/blog/stealth-vpn-protocol) protocol which *may* help in situations where VPN protocols like OpenVPN or Wireguard are blocked with various rudimentary techniques. Stealth encapsulates the VPN tunnel in TLS session in order to look like more generic internet traffic.
Unfortunately it does not work very well in countries where sophisticated filters are deployed that analyze all outgoing traffic in an attempt to discover encrypted tunnels. Stealth is also not yet available on [Windows](https://github.com/ProtonVPN/win-app/issues/64) or Linux.
#### :material-check:{ .pg-green } Mobile Clients
In addition to providing standard OpenVPN configuration files, Proton VPN has mobile clients for [App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085), [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US), and [GitHub](https://github.com/ProtonVPN/android-app/releases) allowing for easy connections to their servers.
In addition to providing standard OpenVPN configuration files, Proton VPN has mobile clients for [App Store](https://apps.apple.com/app/id1437005085), [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android), and [GitHub](https://github.com/ProtonVPN/android-app/releases) allowing for easy connections to their servers.
#### :material-information-outline:{ .pg-blue } Additional Functionality
Proton VPN clients support two factor authentication on all platforms except Linux at the moment. Proton VPN has their own servers and datacenters in Switzerland, Iceland and Sweden. They offer content blocking and known-malware blocking with their DNS service. Additionally, Proton VPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using [the official Tor Browser](https://www.torproject.org/) for this purpose.
Proton VPN clients support two factor authentication on all platforms except Linux at the moment. Proton VPN has their own servers and datacenters in Switzerland, Iceland and Sweden. They offer content blocking and known-malware blocking with their DNS service. Additionally, Proton VPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using [the official Tor Browser](https://torproject.org) for this purpose.
#### :material-alert-outline:{ .pg-orange } Killswitch feature is broken on Intel-based Macs
System crashes [may occur](https://protonvpn.com/support/macos-t2-chip-kill-switch/) on Intel-based Macs when using the VPN killswitch. If you require this feature, and you are using a Mac with Intel chipset, you should consider using another VPN service.
System crashes [may occur](https://protonvpn.com/support/macos-t2-chip-kill-switch) on Intel-based Macs when using the VPN killswitch. If you require this feature, and you are using a Mac with Intel chipset, you should consider using another VPN service.
### IVPN
@ -118,9 +118,9 @@ System crashes [may occur](https://protonvpn.com/support/macos-t2-chip-kill-swit
**IVPN** is another premium VPN provider, and they have been in operation since 2009. IVPN is based in Gibraltar.
[:octicons-home-16: Homepage](https://www.ivpn.net/){ .md-button .md-button--primary }
[:octicons-eye-16:](https://www.ivpn.net/privacy/){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://www.ivpn.net/knowledgebase/general/){ .card-link title=Documentation}
[:octicons-home-16: Homepage](https://ivpn.net){ .md-button .md-button--primary }
[:octicons-eye-16:](https://ivpn.net/privacy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://ivpn.net/knowledgebase/general){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/ivpn){ .card-link title="Source Code" }
<details class="downloads" markdown>
@ -128,10 +128,10 @@ System crashes [may occur](https://protonvpn.com/support/macos-t2-chip-kill-swit
- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client)
- [:octicons-moon-16: Accrescent](https://accrescent.app/app/net.ivpn.client)
- [:simple-appstore: App Store](https://apps.apple.com/app/ivpn-serious-privacy-protection/id1193122683)
- [:simple-windows11: Windows](https://www.ivpn.net/apps-windows/)
- [:simple-apple: macOS](https://www.ivpn.net/apps-macos/)
- [:simple-linux: Linux](https://www.ivpn.net/apps-linux/)
- [:simple-appstore: App Store](https://apps.apple.com/app/id1193122683)
- [:simple-windows11: Windows](https://ivpn.net/apps-windows)
- [:simple-apple: macOS](https://ivpn.net/apps-macos)
- [:simple-linux: Linux](https://ivpn.net/apps-linux)
</details>
@ -139,7 +139,7 @@ System crashes [may occur](https://protonvpn.com/support/macos-t2-chip-kill-swit
#### :material-check:{ .pg-green } 37 Countries
IVPN has [servers in 37 countries](https://www.ivpn.net/server-locations).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination.
IVPN has [servers in 37 countries](https://ivpn.net/status).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination.
{ .annotate }
1. Last checked: 2023-12-21
@ -148,11 +148,11 @@ We also think it's better for the security of the VPN provider's private keys if
#### :material-check:{ .pg-green } Independently Audited
IVPN has undergone a [no-logging audit from Cure53](https://cure53.de/audit-report_ivpn.pdf) which concluded in agreement with IVPN's no-logging claim. IVPN has also completed a [comprehensive pentest report Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) in January 2020. IVPN has also said they plan to have [annual reports](https://www.ivpn.net/blog/independent-security-audit-concluded) in the future. A further review was conducted [in April 2022](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/) and was produced by Cure53 [on their website](https://cure53.de/pentest-report_IVPN_2022.pdf).
IVPN has undergone a [no-logging audit from Cure53](https://cure53.de/audit-report_ivpn.pdf) which concluded in agreement with IVPN's no-logging claim. IVPN has also completed a [comprehensive pentest report Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) in January 2020. IVPN has also said they plan to have [annual reports](https://ivpn.net/blog/independent-security-audit-concluded) in the future. A further review was conducted [in April 2022](https://ivpn.net/blog/ivpn-apps-security-audit-2022-concluded) and was produced by Cure53 [on their website](https://cure53.de/pentest-report_IVPN_2022.pdf).
#### :material-check:{ .pg-green } Open-Source Clients
As of February 2020 [IVPN applications are now open source](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Source code can be obtained from their [GitHub organization](https://github.com/ivpn).
As of February 2020 [IVPN applications are now open source](https://ivpn.net/blog/ivpn-applications-are-now-open-source). Source code can be obtained from their [GitHub organization](https://github.com/ivpn).
#### :material-check:{ .pg-green } Accepts Cash and Monero
@ -160,25 +160,25 @@ In addition to accepting credit/debit cards and PayPal, IVPN accepts Bitcoin, **
#### :material-check:{ .pg-green } WireGuard Support
IVPN supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant.
IVPN supports the WireGuard® protocol. [WireGuard](https://wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://wireguard.com/protocol). Additionally, WireGuard aims to be simpler and more performant.
IVPN [recommends](https://www.ivpn.net/wireguard/) the use of WireGuard with their service and, as such, the protocol is the default on all of IVPN's apps. IVPN also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/).
IVPN [recommends](https://ivpn.net/wireguard) the use of WireGuard with their service and, as such, the protocol is the default on all of IVPN's apps. IVPN also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://wireguard.com/install).
#### :material-alert-outline:{ .pg-orange } Remote Port Forwarding
IVPN previously supported port forwarding, but removed the option in [June 2023](https://www.ivpn.net/blog/gradual-removal-of-port-forwarding). Missing this feature could negatively impact certain applications, especially peer-to-peer applications like torrent clients.
IVPN previously supported port forwarding, but removed the option in [June 2023](https://ivpn.net/blog/gradual-removal-of-port-forwarding). Missing this feature could negatively impact certain applications, especially peer-to-peer applications like torrent clients.
#### :material-check:{ .pg-green } Censorship Circumvention
IVPN has obfuscation modes using the [v2ray](https://www.v2ray.com/en/index.html) project which helps in situations where VPN protocols like OpenVPN or Wireguard are blocked. Currently this feature is only available on Desktop and [iOS](https://www.ivpn.net/knowledgebase/ios/v2ray/). It has two modes where it can use [VMess](https://guide.v2fly.org/en_US/basics/vmess.html) over QUIC or TCP connections. QUIC is a modern protocol with better congestion control and therefore may be faster with reduced latency. The TCP mode makes your data appear as regular HTTP traffic.
IVPN has obfuscation modes using the [v2ray](https://v2ray.com/en/index.html) project which helps in situations where VPN protocols like OpenVPN or Wireguard are blocked. Currently this feature is only available on Desktop and [iOS](https://ivpn.net/knowledgebase/ios/v2ray). It has two modes where it can use [VMess](https://guide.v2fly.org/en_US/basics/vmess.html) over QUIC or TCP connections. QUIC is a modern protocol with better congestion control and therefore may be faster with reduced latency. The TCP mode makes your data appear as regular HTTP traffic.
#### :material-check:{ .pg-green } Mobile Clients
In addition to providing standard OpenVPN configuration files, IVPN has mobile clients for [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683), [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client), and [GitHub](https://github.com/ivpn/android-app/releases) allowing for easy connections to their servers.
In addition to providing standard OpenVPN configuration files, IVPN has mobile clients for [App Store](https://apps.apple.com/app/id1193122683), [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client), and [GitHub](https://github.com/ivpn/android-app/releases) allowing for easy connections to their servers.
#### :material-information-outline:{ .pg-blue } Additional Functionality
IVPN clients support two factor authentication (Mullvad's clients do not). IVPN also provides "[AntiTracker](https://www.ivpn.net/antitracker)" functionality, which blocks advertising networks and trackers from the network level.
IVPN clients support two factor authentication (Mullvad's clients do not). IVPN also provides "[AntiTracker](https://ivpn.net/antitracker)" functionality, which blocks advertising networks and trackers from the network level.
### Mullvad
@ -190,19 +190,19 @@ IVPN clients support two factor authentication (Mullvad's clients do not). IVPN
[:octicons-home-16: Homepage](https://mullvad.net){ .md-button .md-button--primary }
[:simple-torbrowser:](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion){ .card-link title="Onion Service" }
[:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://mullvad.net/en/help/){ .card-link title=Documentation}
[:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://mullvad.net/en/help){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/mullvad){ .card-link title="Source Code" }
<details class="downloads" markdown>
<summary>Downloads</summary>
- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn)
- [:simple-appstore: App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513)
- [:simple-appstore: App Store](https://apps.apple.com/app/id1488466513)
- [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases)
- [:simple-windows11: Windows](https://mullvad.net/en/download/windows/)
- [:simple-apple: macOS](https://mullvad.net/en/download/macos/)
- [:simple-linux: Linux](https://mullvad.net/en/download/linux/)
- [:simple-windows11: Windows](https://mullvad.net/en/download/windows)
- [:simple-apple: macOS](https://mullvad.net/en/download/macos)
- [:simple-linux: Linux](https://mullvad.net/en/download/linux)
</details>
@ -210,7 +210,7 @@ IVPN clients support two factor authentication (Mullvad's clients do not). IVPN
#### :material-check:{ .pg-green } 40 Countries
Mullvad has [servers in 40 countries](https://mullvad.net/servers/).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination.
Mullvad has [servers in 40 countries](https://mullvad.net/servers).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination.
{ .annotate }
1. Last checked: 2023-12-21
@ -223,11 +223,11 @@ Mullvad's VPN clients have been audited by Cure53 and Assured AB in a pentest re
> Cure53 and Assured AB are happy with the results of the audit and the software leaves an overall positive impression. With security dedication of the in-house team at the Mullvad VPN compound, the testers have no doubts about the project being on the right track from a security standpoint.
In 2020 a second audit [was announced](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) was made available on Cure53's website:
In 2020 a second audit [was announced](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app) and the [final audit report](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) was made available on Cure53's website:
> The results of this May-June 2020 project targeting the Mullvad complex are quite positive. [...] The overall application ecosystem used by Mullvad leaves a sound and structured impression. The overall structure of the application makes it easy to roll out patches and fixes in a structured manner. More than anything, the findings spotted by Cure53 showcase the importance of constantly auditing and re-assessing the current leak vectors, in order to always ensure privacy of the end-users. With that being said, Mullvad does a great job protecting the end-user from common PII leaks and privacy related risks.
In 2021 an infrastructure audit [was announced](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) was made available on Cure53's website. Another report was commissioned [in June 2022](https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data/) and is available on [Assured's website](https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf).
In 2021 an infrastructure audit [was announced](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit) and the [final audit report](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) was made available on Cure53's website. Another report was commissioned [in June 2022](https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data) and is available on [Assured's website](https://assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf).
#### :material-check:{ .pg-green } Open-Source Clients
@ -239,17 +239,17 @@ Mullvad, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin
#### :material-check:{ .pg-green } WireGuard Support
Mullvad supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant.
Mullvad supports the WireGuard® protocol. [WireGuard](https://wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://wireguard.com/protocol). Additionally, WireGuard aims to be simpler and more performant.
Mullvad [recommends](https://mullvad.net/en/help/why-wireguard/) the use of WireGuard with their service. It is the default or only protocol on Mullvad's Android, iOS, macOS, and Linux apps, but on Windows you have to [manually enable](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/) WireGuard. Mullvad also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/).
Mullvad [recommends](https://mullvad.net/en/help/why-wireguard) the use of WireGuard with their service. It is the default or only protocol on Mullvad's Android, iOS, macOS, and Linux apps, but on Windows you have to [manually enable](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app) WireGuard. Mullvad also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://wireguard.com/install).
#### :material-check:{ .pg-green } IPv6 Support
Mullvad allows you to [access services hosted on IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support/), as opposed to other providers which block IPv6 connections.
Mullvad allows you to [access services hosted on IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support), as opposed to other providers which block IPv6 connections.
#### :material-alert-outline:{ .pg-orange } Remote Port Forwarding
Mullvad previously supported port forwarding, but removed the option in [May 2023](https://mullvad.net/en/blog/2023/5/29/removing-the-support-for-forwarded-ports/). Missing this feature could negatively impact certain applications, especially peer-to-peer applications like torrent clients.
Mullvad previously supported port forwarding, but removed the option in [May 2023](https://mullvad.net/en/blog/2023/5/29/removing-the-support-for-forwarded-ports). Missing this feature could negatively impact certain applications, especially peer-to-peer applications like torrent clients.
#### :material-check:{ .pg-green } Censorship Circumvention
@ -257,11 +257,11 @@ Mullvad has obfuscation an mode using [Shadowsocks with v2ray](https://mullvad.n
#### :material-check:{ .pg-green } Mobile Clients
Mullvad has published [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) and [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) clients, both supporting an easy-to-use interface as opposed to requiring you to manually configure your WireGuard connection. The Android client is also available on [GitHub](https://github.com/mullvad/mullvadvpn-app/releases).
Mullvad has published [App Store](https://apps.apple.com/app/id1488466513) and [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) clients, both supporting an easy-to-use interface as opposed to requiring you to manually configure your WireGuard connection. The Android client is also available on [GitHub](https://github.com/mullvad/mullvadvpn-app/releases).
#### :material-information-outline:{ .pg-blue } Additional Functionality
Mullvad is very transparent about which nodes they [own or rent](https://mullvad.net/en/servers/). They use [ShadowSocks](https://shadowsocks.org/) in their ShadowSocks + OpenVPN configuration, making them more resistant against firewalls with [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) trying to block VPNs. Supposedly, [China has to use a different method to block ShadowSocks servers](https://github.com/net4people/bbs/issues/22). Mullvad's website is also accessible via Tor at [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion).
Mullvad is very transparent about which nodes they [own or rent](https://mullvad.net/en/servers). They use [ShadowSocks](https://shadowsocks.org) in their ShadowSocks + OpenVPN configuration, making them more resistant against firewalls with [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) trying to block VPNs. Supposedly, [China has to use a different method to block ShadowSocks servers](https://github.com/net4people/bbs/issues/22). Mullvad's website is also accessible via Tor at [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion).
## Criteria

1
theme/assets/img/android/divestos.svg
View File

@ -1,2 +1 @@
<?xml version="1.0" encoding="UTF-8"?>
<svg version="1.1" viewBox="0 0 128 128" xmlns="http://www.w3.org/2000/svg"><g transform="matrix(.256 0 0 .256 -1.534 -1.5359)"><path d="m506 256a250 250 0 0 1-248.51 250 250 250 0 0 1-251.48-247.01 250 250 0 0 1 245.5-252.95 250 250 0 0 1 254.41 243.98" fill="#fc5424"/><path d="m261.3 166.34c-48.1 0-76.959 33.794-76.959 89.541 0 56.98 28.859 89.787 76.959 89.787 48.347 0 77.207-33.794 77.207-89.787 0-56.98-28.86-89.541-77.207-89.541zm155.15 0c-35.52 0-61.668 19.241-61.668 49.334 0 25.407 14.062 41.193 52.295 53.033 24.913 7.6467 31.326 13.32 31.326 25.9 0 13.073-10.359 20.967-27.133 20.967-17.02 0-30.588-6.1668-43.168-16.773l-20.473 22.447c14.06 13.567 35.273 24.42 64.873 24.42 42.673 0 67.834-22.201 67.834-54.021 0-31.573-18.501-44.892-50.814-55.252-26.64-8.3867-33.053-12.828-33.053-23.682 0-10.853 8.8794-16.771 22.939-16.771 13.813 0 25.654 4.6866 37.494 14.307l18.746-21.955c-15.047-14.307-33.053-21.953-59.199-21.953zm-384.8 4.1934v170.94h51.307c43.66 0 85.1-17.514 85.1-86.334 0-70.547-43.165-84.607-88.799-84.607h-47.607zm229.65 25.408c22.94 0 34.781 16.773 34.781 59.939 0 43.413-11.595 60.186-34.781 60.186-22.2 0-34.533-16.772-34.533-60.186 0-43.167 11.84-59.939 34.533-59.939zm-189.19 3.9453h12.828c23.68 0 41.193 9.3738 41.193 55.254 0 45.387-16.281 56.98-40.701 56.98h-13.32v-112.23z"/></g></svg>

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 1.3 KiB

After

Width:  |  Height:  |  Size: 1.3 KiB

12
theme/assets/img/android/obtainium.svg
View File

@ -1,11 +1 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg width="100%" height="100%" viewBox="0 0 128 128" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve" xmlns:serif="http://www.serif.com/" style="fill-rule:evenodd;clip-rule:evenodd;">
<g id="path239" transform="matrix(0.780176,0,0,0.780176,-155.567,-216.875)">
<path d="M311.473,434.341C309.4,433.242 297.281,426.527 240.515,395.021C224.718,386.253 209.509,377.822 206.717,376.285C200.375,372.794 199.4,371.935 199.4,369.835C199.4,368.736 201.931,361.693 207.864,346.288C212.518,334.2 216.635,323.607 217.011,322.748C217.868,320.792 219.25,319.131 220.599,318.433C221.862,317.78 253.426,306.253 255.035,305.857C256.774,305.429 258.274,306.253 259.159,308.122C259.583,309.019 261.347,313.648 263.079,318.408C264.811,323.169 267.389,330.208 268.808,334.051C272.06,342.856 272.181,344.103 269.917,345.44C269.317,345.794 265.413,347.326 261.243,348.844C257.072,350.361 253.092,351.933 252.399,352.336C250.799,353.267 250.559,354.704 251.809,355.859C252.305,356.318 260.325,360.893 269.63,366.025C295.638,380.369 294.194,379.72 295.929,377.848C296.779,376.931 312.317,337.409 313.209,333.896C313.59,332.395 313.548,332.186 312.735,331.529C311.625,330.63 311.786,330.591 301.573,334.202C291.455,337.779 290.491,337.855 289.136,335.18C288.424,333.775 277.526,303.843 276.849,301.435C276.411,299.877 276.947,298.397 278.258,297.538C278.803,297.181 286.734,294.138 295.882,290.776C309.458,285.788 312.913,284.658 314.679,284.63C316.957,284.594 317.256,284.75 359.027,307.863C361.922,309.464 363.466,311.15 363.466,312.708C363.466,313.326 353.109,340.799 340.45,373.76C322.597,420.244 317.208,433.886 316.428,434.572C315.102,435.74 314.015,435.689 311.473,434.341L311.473,434.341Z" style="fill:url(#_Linear1);fill-rule:nonzero;stroke:url(#_Linear2);stroke-width:0.39px;"/>
</g>
<defs>
<linearGradient id="_Linear1" x1="0" y1="0" x2="1" y2="0" gradientUnits="userSpaceOnUse" gradientTransform="matrix(96.0874,110.767,-110.767,96.0874,217.55,321.519)"><stop offset="0" style="stop-color:rgb(155,88,220);stop-opacity:1"/><stop offset="1" style="stop-color:rgb(50,28,146);stop-opacity:1"/></linearGradient>
<linearGradient id="_Linear2" x1="0" y1="0" x2="1" y2="0" gradientUnits="userSpaceOnUse" gradientTransform="matrix(96.0874,110.767,-110.767,96.0874,217.55,321.519)"><stop offset="0" style="stop-color:rgb(155,88,220);stop-opacity:1"/><stop offset="1" style="stop-color:rgb(50,28,146);stop-opacity:1"/></linearGradient>
</defs>
</svg>
<svg width="128" height="128" version="1.1" viewBox="0 0 33.867 33.867" xmlns="http://www.w3.org/2000/svg"><defs><linearGradient id="_Linear1" x2="1" gradientTransform="matrix(96.087 110.77 -110.77 96.087 217.55 321.52)" gradientUnits="userSpaceOnUse"><stop stop-color="#9b58dc" offset="0"/><stop stop-color="#321c92" offset="1"/></linearGradient></defs><g transform="matrix(.20642 0 0 .20642 -41.161 -57.382)" clip-rule="evenodd" fill-rule="evenodd"><path d="m311.47 434.34c-2.073-1.099-14.192-7.814-70.958-39.32-15.797-8.768-31.006-17.199-33.798-18.736-6.342-3.491-7.317-4.35-7.317-6.45 0-1.099 2.531-8.142 8.464-23.547 4.654-12.088 8.771-22.681 9.147-23.54 0.857-1.956 2.239-3.617 3.588-4.315 1.263-0.653 32.827-12.18 34.436-12.576 1.739-0.428 3.239 0.396 4.124 2.265 0.424 0.897 2.188 5.526 3.92 10.286 1.732 4.761 4.31 11.8 5.729 15.643 3.252 8.805 3.373 10.052 1.109 11.389-0.6 0.354-4.504 1.886-8.674 3.404-4.171 1.517-8.151 3.089-8.844 3.492-1.6 0.931-1.84 2.368-0.59 3.523 0.496 0.459 8.516 5.034 17.821 10.166 26.008 14.344 24.564 13.695 26.299 11.823 0.85-0.917 16.388-40.439 17.28-43.952 0.381-1.501 0.339-1.71-0.474-2.367-1.11-0.899-0.949-0.938-11.162 2.673-10.118 3.577-11.082 3.653-12.437 0.978-0.712-1.405-11.61-31.337-12.287-33.745-0.438-1.558 0.098-3.038 1.409-3.897 0.545-0.357 8.476-3.4 17.624-6.762 13.576-4.988 17.031-6.118 18.797-6.146 2.278-0.036 2.577 0.12 44.348 23.233 2.895 1.601 4.439 3.287 4.439 4.845 0 0.618-10.357 28.091-23.016 61.052-17.853 46.484-23.242 60.126-24.022 60.812-1.326 1.168-2.413 1.117-4.955-0.231z" fill="url(#_Linear1)" fill-rule="nonzero" stroke="url(#_Linear1)" stroke-width=".39px"/></g></svg>

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 2.6 KiB

After

Width:  |  Height:  |  Size: 1.6 KiB

1
theme/assets/img/android/rethinkdns-dark.svg
View File

@ -1,2 +1 @@
<?xml version="1.0" encoding="UTF-8"?>
<svg width="128" height="128" version="1.1" viewBox="0 0 33.867 33.867" xmlns="http://www.w3.org/2000/svg"><g transform="matrix(.0033803 0 0 -.0033803 1.64 34.376)" fill="#fff"><path d="m4055 10121c-77-27-205-73-285-101-80-29-188-67-240-85-52-19-140-50-195-70s-181-65-280-100c-201-71-427-151-615-218-69-25-210-75-315-111-104-37-226-80-270-96s-138-50-210-75c-169-59-383-136-415-148-14-6-29-11-35-13-5-1-80-27-165-57-415-146-540-191-595-212-33-12-112-41-176-64-132-48-185-88-222-168l-22-48v-925c0-938 2-992 41-1380 49-488 156-1011 309-1504 61-197 184-532 247-676 40-90 47-106 78-180 28-65 215-447 248-505 164-290 298-511 397-652 27-40 73-105 100-145 28-39 84-116 125-171s84-112 95-127c31-40 95-120 135-166 19-22 44-52 54-65 115-147 475-524 706-739 173-161 542-466 675-557 22-16 45-33 50-39 6-5 28-22 50-37 22-14 60-41 85-58 164-118 524-346 681-433 72-39 133-52 202-42 37 6 177 79 346 181 9 6 34 21 56 34 51 31 415 272 435 288 8 7 71 54 139 104 135 101 174 145 197 226 35 122-34 257-161 315-67 30-169 30-240-1-27-12-52-26-55-30-20-28-395-285-626-429-145-91-135-89-224-34-235 147-373 242-610 416-405 298-905 768-1246 1171-180 213-362 457-536 720-84 127-238 380-238 391 0 3-8 18-19 32-71 101-297 577-415 875-273 690-422 1354-487 2172-12 157-22 1694-11 1710 4 6 23 16 42 22s98 34 175 61c217 79 590 211 695 247 52 19 140 50 195 70s150 54 210 75c61 21 162 57 225 80s165 59 225 80c61 21 232 82 380 135 149 53 295 105 325 115s138 48 240 85 228 82 280 100 217 76 365 130c207 74 278 96 305 92 19-2 78-20 130-40 52-19 178-65 280-101s194-70 205-75c18-8 269-98 470-168 39-13 221-78 405-145 184-66 389-140 455-164 66-23 210-75 320-114 110-40 256-92 325-117 69-24 154-55 190-68s148-54 250-90 214-76 250-89c36-14 128-47 205-74l140-50 3-579c7-1319-49-1851-278-2653-26-91-22-157 13-227 65-126 206-182 355-138 58 17 137 83 164 137 18 36 75 234 83 288 0 3 3 10 6 15 4 6 14 46 24 90s28 125 41 180c45 194 113 598 134 805 42 399 42 420 47 1375 5 933 4 940-16 995-24 63-88 135-141 158-37 16-252 94-545 197-99 35-232 82-295 105s-126 45-140 50-81 29-150 53c-69 25-141 51-160 57-19 7-82 29-140 50-58 22-188 68-290 104-349 122-415 146-435 155-11 5-60 23-110 40-49 16-142 49-205 72-63 22-164 58-225 79-60 21-162 57-225 80s-158 57-210 75c-86 30-275 97-665 237-273 98-272 98-470 29z"/><path d="m5923 5035c-66-20-126-59-191-125-228-228-401-724-437-1256l-7-102-81-16c-222-44-429-202-556-421-154-268-146-616 18-788 154-163 428-122 685 103 31 27 60 50 64 50s20-25 36-56c37-70 123-148 193-174 128-48 256-9 495 149 119 78 108 79 123-9 8-52 43-116 72-136 68-44 163-34 212 22 17 19 118 209 226 423 107 214 199 393 205 396 21 13 22-4 6-122-49-348-21-595 78-698 42-44 44-45 108-45 113 0 260 57 398 154l65 45 14-27c51-100 156-164 300-184 259-36 689 83 998 275l82 51 3 155c2 86 2 159 0 163-1 3-26-10-55-29-60-41-448-234-457-228-4 2-10 57-13 122-4 65-15 152-26 193-79 303-80 276 4 376 97 117 117 149 122 196 5 57-13 88-67 116-61 30-147 30-215-1-63-30-115-87-286-312-204-270-257-332-370-430-169-146-225-206-233-248-12-66-109-94-152-44-64 75-60 268 16 654 17 84 30 170 30 191 0 89-48 180-107 203-73 28-191-8-250-76-21-24-96-152-167-284-98-185-133-241-147-241-23 0-24-16 6 173 34 218 39 284 26 334-17 62-48 93-98 100-89 12-161-26-198-103-22-47-69-279-95-474-27-202-30-223-37-217-3 3-32-16-65-44-83-69-198-145-271-180-151-71-217-15-217 186 0 153 22 223 189 592 260 577 352 894 353 1223 0 69-5 153-12 185-40 196-163 289-317 240zm46-334c68-68 19-447-106-821-58-175-203-540-214-540-21 0-2 357 32 630 55 444 136 701 233 740 30 13 34 12 55-9zm-668-1524c0-84 4-195 8-247l8-95-38-81c-74-156-146-224-240-224-103 0-153 56-152 171 1 163 80 346 213 491 64 71 174 153 191 142 5-3 9-74 10-157zm2870-299c39-161 28-307-29-372-47-52-146-70-217-37-45 20-155 116-155 136 0 14 354 365 368 365 6 0 20-42 33-92z"/></g></svg>

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 3.7 KiB

After

Width:  |  Height:  |  Size: 3.7 KiB

1
theme/assets/img/android/rethinkdns.svg
View File

@ -1,2 +1 @@
<?xml version="1.0" encoding="UTF-8"?>
<svg width="128" height="128" version="1.1" viewBox="0 0 33.867 33.867" xmlns="http://www.w3.org/2000/svg"><g transform="matrix(.0033803 0 0 -.0033803 1.64 34.376)"><path d="m4055 10121c-77-27-205-73-285-101-80-29-188-67-240-85-52-19-140-50-195-70s-181-65-280-100c-201-71-427-151-615-218-69-25-210-75-315-111-104-37-226-80-270-96s-138-50-210-75c-169-59-383-136-415-148-14-6-29-11-35-13-5-1-80-27-165-57-415-146-540-191-595-212-33-12-112-41-176-64-132-48-185-88-222-168l-22-48v-925c0-938 2-992 41-1380 49-488 156-1011 309-1504 61-197 184-532 247-676 40-90 47-106 78-180 28-65 215-447 248-505 164-290 298-511 397-652 27-40 73-105 100-145 28-39 84-116 125-171s84-112 95-127c31-40 95-120 135-166 19-22 44-52 54-65 115-147 475-524 706-739 173-161 542-466 675-557 22-16 45-33 50-39 6-5 28-22 50-37 22-14 60-41 85-58 164-118 524-346 681-433 72-39 133-52 202-42 37 6 177 79 346 181 9 6 34 21 56 34 51 31 415 272 435 288 8 7 71 54 139 104 135 101 174 145 197 226 35 122-34 257-161 315-67 30-169 30-240-1-27-12-52-26-55-30-20-28-395-285-626-429-145-91-135-89-224-34-235 147-373 242-610 416-405 298-905 768-1246 1171-180 213-362 457-536 720-84 127-238 380-238 391 0 3-8 18-19 32-71 101-297 577-415 875-273 690-422 1354-487 2172-12 157-22 1694-11 1710 4 6 23 16 42 22s98 34 175 61c217 79 590 211 695 247 52 19 140 50 195 70s150 54 210 75c61 21 162 57 225 80s165 59 225 80c61 21 232 82 380 135 149 53 295 105 325 115s138 48 240 85 228 82 280 100 217 76 365 130c207 74 278 96 305 92 19-2 78-20 130-40 52-19 178-65 280-101s194-70 205-75c18-8 269-98 470-168 39-13 221-78 405-145 184-66 389-140 455-164 66-23 210-75 320-114 110-40 256-92 325-117 69-24 154-55 190-68s148-54 250-90 214-76 250-89c36-14 128-47 205-74l140-50 3-579c7-1319-49-1851-278-2653-26-91-22-157 13-227 65-126 206-182 355-138 58 17 137 83 164 137 18 36 75 234 83 288 0 3 3 10 6 15 4 6 14 46 24 90s28 125 41 180c45 194 113 598 134 805 42 399 42 420 47 1375 5 933 4 940-16 995-24 63-88 135-141 158-37 16-252 94-545 197-99 35-232 82-295 105s-126 45-140 50-81 29-150 53c-69 25-141 51-160 57-19 7-82 29-140 50-58 22-188 68-290 104-349 122-415 146-435 155-11 5-60 23-110 40-49 16-142 49-205 72-63 22-164 58-225 79-60 21-162 57-225 80s-158 57-210 75c-86 30-275 97-665 237-273 98-272 98-470 29z"/><path d="m5923 5035c-66-20-126-59-191-125-228-228-401-724-437-1256l-7-102-81-16c-222-44-429-202-556-421-154-268-146-616 18-788 154-163 428-122 685 103 31 27 60 50 64 50s20-25 36-56c37-70 123-148 193-174 128-48 256-9 495 149 119 78 108 79 123-9 8-52 43-116 72-136 68-44 163-34 212 22 17 19 118 209 226 423 107 214 199 393 205 396 21 13 22-4 6-122-49-348-21-595 78-698 42-44 44-45 108-45 113 0 260 57 398 154l65 45 14-27c51-100 156-164 300-184 259-36 689 83 998 275l82 51 3 155c2 86 2 159 0 163-1 3-26-10-55-29-60-41-448-234-457-228-4 2-10 57-13 122-4 65-15 152-26 193-79 303-80 276 4 376 97 117 117 149 122 196 5 57-13 88-67 116-61 30-147 30-215-1-63-30-115-87-286-312-204-270-257-332-370-430-169-146-225-206-233-248-12-66-109-94-152-44-64 75-60 268 16 654 17 84 30 170 30 191 0 89-48 180-107 203-73 28-191-8-250-76-21-24-96-152-167-284-98-185-133-241-147-241-23 0-24-16 6 173 34 218 39 284 26 334-17 62-48 93-98 100-89 12-161-26-198-103-22-47-69-279-95-474-27-202-30-223-37-217-3 3-32-16-65-44-83-69-198-145-271-180-151-71-217-15-217 186 0 153 22 223 189 592 260 577 352 894 353 1223 0 69-5 153-12 185-40 196-163 289-317 240zm46-334c68-68 19-447-106-821-58-175-203-540-214-540-21 0-2 357 32 630 55 444 136 701 233 740 30 13 34 12 55-9zm-668-1524c0-84 4-195 8-247l8-95-38-81c-74-156-146-224-240-224-103 0-153 56-152 171 1 163 80 346 213 491 64 71 174 153 191 142 5-3 9-74 10-157zm2870-299c39-161 28-307-29-372-47-52-146-70-217-37-45 20-155 116-155 136 0 14 354 365 368 365 6 0 20-42 33-92z"/></g></svg>

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 3.7 KiB

After

Width:  |  Height:  |  Size: 3.7 KiB

1
theme/assets/img/browsers/firefox-ios.svg
View File

File diff suppressed because one or more lines are too long
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 13 KiB

After

Width:  |  Height:  |  Size: 13 KiB

3
theme/assets/img/browsers/firefox.svg
View File

File diff suppressed because one or more lines are too long
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 13 KiB

After

Width:  |  Height:  |  Size: 13 KiB

1
theme/assets/img/browsers/firefox_focus.svg
View File

File diff suppressed because one or more lines are too long
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 14 KiB

After

Width:  |  Height:  |  Size: 14 KiB

1
theme/assets/img/browsers/ios-trash-dark.svg
View File

@ -1,2 +1 @@
<?xml version="1.0" encoding="UTF-8"?>
<svg width="128" height="128" version="1.1" viewBox="0 0 33.867 33.867" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><defs><linearGradient id="linearGradient5472"><stop stop-color="#fff" offset="0"/></linearGradient><linearGradient id="linearGradient5474" x1="60.097" x2="71.645" y1="201.62" y2="201.62" gradientUnits="userSpaceOnUse" xlink:href="#linearGradient5472"/><linearGradient id="linearGradient5480" x1="49.996" x2="81.746" y1="205.62" y2="205.62" gradientUnits="userSpaceOnUse" xlink:href="#linearGradient5472"/><linearGradient id="linearGradient5486" x1="53.418" x2="78.324" y1="218.03" y2="218.03" gradientUnits="userSpaceOnUse" xlink:href="#linearGradient5472"/><linearGradient id="linearGradient5492" x1="69.192" x2="70.78" y1="217.16" y2="217.16" gradientUnits="userSpaceOnUse" xlink:href="#linearGradient5472"/><linearGradient id="linearGradient7461" x1="60.962" x2="62.549" y1="217.16" y2="217.16" gradientUnits="userSpaceOnUse" xlink:href="#linearGradient5472"/></defs><g transform="translate(-48.938 -197.1)" stroke-linecap="round" stroke-linejoin="round" stroke-miterlimit="2" stroke-width="1.5875"><path d="m77.53 205.88v22.187a2.1167 2.1167 135 0 1-2.1167 2.1167h-19.086a2.1167 2.1167 45 0 1-2.1167-2.1167v-22.187" fill="none" stroke="url(#linearGradient5486)" style="paint-order:fill markers stroke"/><g fill="#fff" fill-rule="evenodd"><path d="m61.756 210.99v12.346" stroke="url(#linearGradient7461)" style="paint-order:fill markers stroke"/><path d="m69.986 210.99v12.346" stroke="url(#linearGradient5492)" style="paint-order:fill markers stroke"/><path d="m50.79 205.62h30.162" stroke="url(#linearGradient5480)" style="paint-order:fill markers stroke"/></g><path d="m60.89 205.37v-5.4277a2.0677 2.0677 0 0 1 2.0677-2.0677h5.8255a2.0677 2.0677 0 0 1 2.0677 2.0677v5.4277" fill="none" stroke="url(#linearGradient5474)" style="paint-order:fill markers stroke"/></g></svg>

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 1.9 KiB

After

Width:  |  Height:  |  Size: 1.9 KiB

21
theme/assets/img/browsers/mullvad_browser.svg
View File

@ -1,20 +1 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg PUBLIC '-//W3C//DTD SVG 1.1//EN' 'http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd'>
<svg clip-rule="evenodd" fill-rule="evenodd" stroke-linejoin="round" stroke-miterlimit="2" version="1.1" viewBox="0 0 161 161" xml:space="preserve" xmlns="http://www.w3.org/2000/svg">
<g transform="matrix(4.1667 0 0 4.1667 -19.531 -19.531)">
<path d="m4.688 12.938c0-4.557 3.693-8.25 8.25-8.25h22.125c4.556 0 8.25 3.693 8.25 8.25v22.125c0 4.556-3.694 8.25-8.25 8.25h-22.125c-4.557 0-8.25-3.694-8.25-8.25v-22.125z" fill="url(#_Linear1)" fill-rule="nonzero"/>
<g fill-rule="nonzero">
<path d="m16.2 9.844h-5.7v28.125h5.7v-14.7l3.9 7.425h7.8l3.9-7.425v14.7h5.7v-28.125h-5.7l-7.8 14.775-7.8-14.775z" fill="url(#_Radial2)"/>
<path d="m16.2 12.844h-5.7v25.125h5.7v-14.7l3.9 7.425h7.8l3.9-7.425v14.7h5.7v-25.125h-5.7l-7.8 14.775-7.8-14.775z" fill="url(#_Linear3)"/>
<path d="m16.2 15.469h-5.7v22.5h5.7v-14.7l3.9 7.425h7.8l3.9-7.425v14.7h5.7v-22.5h-5.7l-7.8 14.7-7.8-14.7z" fill="url(#_Linear4)"/>
</g>
</g>
<defs>
<linearGradient id="_Linear1" x2="1" gradientTransform="matrix(2.4506e-15 40.021 -40.021 2.4506e-15 24 3.2919)" gradientUnits="userSpaceOnUse"><stop stop-color="#205c9d" offset="0"/><stop stop-color="#05101b" offset=".66"/><stop stop-color="#05101b" offset="1"/></linearGradient>
<radialGradient id="_Radial2" cx="0" cy="0" r="1" gradientTransform="matrix(-7.0924e-15 -18.525 18.506 -7.085e-15 24 27.694)" gradientUnits="userSpaceOnUse"><stop stop-color="#88608c" offset="0"/><stop stop-color="#8f7664" offset=".69"/><stop stop-color="#907029" offset="1"/></radialGradient>
<linearGradient id="_Linear3" x2="1" gradientTransform="matrix(-32.682 16.274 -16.274 -32.682 43.322 15.932)" gradientUnits="userSpaceOnUse"><stop stop-color="#d59c14" offset="0"/><stop stop-color="#f8a912" offset=".29"/><stop stop-color="#fddf00" offset="1"/></linearGradient>
<linearGradient id="_Linear4" x2="1" gradientTransform="matrix(-49.261 21.428 -21.428 -49.261 57.801 12.353)" gradientUnits="userSpaceOnUse"><stop stop-color="#d59c14" offset="0"/><stop stop-color="#f8a912" offset=".07"/><stop stop-color="#fddf00" offset="1"/></linearGradient>
</defs>
</svg>
<svg width="128" height="128" version="1.1" viewBox="0 0 33.867 33.867" xmlns="http://www.w3.org/2000/svg"><defs><linearGradient id="_Linear1" x2="1" gradientTransform="matrix(0,40.021,-40.021,0,24,3.2919)" gradientUnits="userSpaceOnUse"><stop stop-color="#205c9d" offset="0"/><stop stop-color="#05101b" offset=".66"/><stop stop-color="#05101b" offset="1"/></linearGradient><radialGradient id="_Radial2" cx="0" cy="0" r="1" gradientTransform="matrix(0,-18.525,18.506,0,24,27.694)" gradientUnits="userSpaceOnUse"><stop stop-color="#88608c" offset="0"/><stop stop-color="#8f7664" offset=".69"/><stop stop-color="#907029" offset="1"/></radialGradient><linearGradient id="_Linear3" x2="1" gradientTransform="matrix(-32.682,16.274,-16.274,-32.682,43.322,15.932)" gradientUnits="userSpaceOnUse"><stop stop-color="#d59c14" offset="0"/><stop stop-color="#f8a912" offset=".29"/><stop stop-color="#fddf00" offset="1"/></linearGradient><linearGradient id="_Linear4" x2="1" gradientTransform="matrix(-49.261,21.428,-21.428,-49.261,57.801,12.353)" gradientUnits="userSpaceOnUse"><stop stop-color="#d59c14" offset="0"/><stop stop-color="#f8a912" offset=".07"/><stop stop-color="#fddf00" offset="1"/></linearGradient></defs><g transform="matrix(.87681 0 0 .87681 -4.1105 -4.1105)"><path d="m4.688 12.938c0-4.557 3.693-8.25 8.25-8.25h22.125c4.556 0 8.25 3.693 8.25 8.25v22.125c0 4.556-3.694 8.25-8.25 8.25h-22.125c-4.557 0-8.25-3.694-8.25-8.25z" fill="url(#_Linear1)"/><path d="m16.2 9.844h-5.7v28.125h5.7v-14.7l3.9 7.425h7.8l3.9-7.425v14.7h5.7v-28.125h-5.7l-7.8 14.775z" fill="url(#_Radial2)"/><path d="m16.2 12.844h-5.7v25.125h5.7v-14.7l3.9 7.425h7.8l3.9-7.425v14.7h5.7v-25.125h-5.7l-7.8 14.775z" fill="url(#_Linear3)"/><path d="m16.2 15.469h-5.7v22.5h5.7v-14.7l3.9 7.425h7.8l3.9-7.425v14.7h5.7v-22.5h-5.7l-7.8 14.7z" fill="url(#_Linear4)"/></g></svg>

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 2.3 KiB

After

Width:  |  Height:  |  Size: 1.8 KiB

1
theme/assets/img/browsers/safari.svg
View File

File diff suppressed because one or more lines are too long
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 18 KiB

After

Width:  |  Height:  |  Size: 18 KiB

2
theme/assets/img/browsers/tor.svg
View File

@ -1 +1 @@
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" viewBox="0 0 128 128"><defs><linearGradient id="linearGradient-1" x1=".5" x2=".5" y1="1"><stop offset="0" stop-color="#420C5D"/><stop offset="1" stop-color="#951AD1"/></linearGradient><path id="path-2" d="m25 29c127.58 0 231 102.97 231 230s-103.42 230-231 230z"/><filter id="filter-3" width="1.294" height="1.148" x="-.182" y="-.074"><feOffset dx="-8" dy="0" in="SourceAlpha" result="shadowOffsetOuter1"/><feGaussianBlur in="shadowOffsetOuter1" result="shadowBlurOuter1" stdDeviation="10"/><feColorMatrix in="shadowBlurOuter1" values="0 0 0 0 0.250980392 0 0 0 0 0.250980392 0 0 0 0 0.250980392 0 0 0 0.2 0"/></filter><linearGradient id="linearGradient9148" x1="256" x2="256" y1="512" gradientUnits="userSpaceOnUse" xlink:href="#linearGradient-1"/><linearGradient id="linearGradient9150" x1="198.27" x2="198.27" y1="346.53" y2="20.551" gradientTransform="scale(.70864 1.4111)" gradientUnits="userSpaceOnUse" xlink:href="#linearGradient-1"/></defs><g id="Assets" fill="none" fill-rule="evenodd" transform="matrix(.24957 0 0 .24957 .21762 .22232)"><g id="Group"><g id="tb_icon/Stable"><g id="Stable"><circle id="background" cx="256" cy="256" r="246" fill="#f2e4ff" fill-rule="nonzero"/><path id="center" fill="url(#linearGradient9148)" d="m256.53 465.44v-31.033c98.301-0.28386 177.9-80.042 177.9-178.41 0-98.365-79.595-178.12-177.9-178.41v-31.033c115.44 0.29096 208.92 93.937 208.92 209.44 0 115.51-93.482 209.16-208.92 209.45zm0-108.62c55.445-0.29095 100.32-45.304 100.32-100.83 0-55.516-44.878-100.53-100.32-100.82v-31.026c72.59 0.28386 131.36 59.192 131.36 131.85 0 72.661-58.766 131.57-131.36 131.85zm0-155.1c29.742 0.28386 53.777 24.462 53.777 54.274 0 29.82-24.036 53.997-53.777 54.281zm-256.53 54.274c0 141.39 114.61 256.01 256 256.01 141.38 0 256-114.62 256-256.01 0-141.38-114.62-255.99-256-255.99-141.39 0-256 114.61-256 255.99z"/><g id="half" transform="matrix(-1,0,0,1,281,0)"><use width="100%" height="100%" fill="#000" filter="url(#filter-3)" xlink:href="#path-2"/><use width="100%" height="100%" fill="url(#linearGradient9150)" fill-rule="evenodd" xlink:href="#path-2"/></g></g></g></g></g></svg>
<svg width="128" height="128" version="1.1" viewBox="0 0 33.867 33.867" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><defs><linearGradient id="linearGradient9148" x1="256" x2="256" y1="512" gradientUnits="userSpaceOnUse" xlink:href="#linearGradient-1"/><linearGradient id="linearGradient-1" x1=".5" x2=".5" y1="1"><stop stop-color="#420C5D" offset="0"/><stop stop-color="#951AD1" offset="1"/></linearGradient><filter id="filter-3" x="-.13853" y="-.052174" width="1.2424" height="1.1043"><feOffset dx="-8" dy="0" in="SourceAlpha" result="shadowOffsetOuter1"/><feGaussianBlur in="shadowOffsetOuter1" result="shadowBlurOuter1" stdDeviation="10"/><feColorMatrix in="shadowBlurOuter1" values="0 0 0 0 0.250980392 0 0 0 0 0.250980392 0 0 0 0 0.250980392 0 0 0 0.2 0"/></filter><linearGradient id="linearGradient9150" x1="198.27" x2="198.27" y1="346.53" y2="20.551" gradientTransform="scale(.70864 1.4111)" gradientUnits="userSpaceOnUse" xlink:href="#linearGradient-1"/></defs><g id="Assets" transform="matrix(.066017 0 0 .066017 .032876 -.00026436)" fill="none" fill-rule="evenodd"><g id="Group"><g id="tb_icon/Stable"><g id="Stable"><circle id="background" cx="256" cy="256" r="246" fill="#f2e4ff" fill-rule="nonzero"/><path id="center" d="m256.53 465.44v-31.033c98.301-0.28386 177.9-80.042 177.9-178.41 0-98.365-79.595-178.12-177.9-178.41v-31.033c115.44 0.29096 208.92 93.937 208.92 209.44 0 115.51-93.482 209.16-208.92 209.45zm0-108.62c55.445-0.29095 100.32-45.304 100.32-100.83 0-55.516-44.878-100.53-100.32-100.82v-31.026c72.59 0.28386 131.36 59.192 131.36 131.85 0 72.661-58.766 131.57-131.36 131.85zm0-155.1c29.742 0.28386 53.777 24.462 53.777 54.274 0 29.82-24.036 53.997-53.777 54.281zm-256.53 54.274c0 141.39 114.61 256.01 256 256.01 141.38 0 256-114.62 256-256.01 0-141.38-114.62-255.99-256-255.99-141.39 0-256 114.61-256 255.99z" fill="url(#linearGradient9148)"/><g id="half" transform="matrix(-1,0,0,1,281,0)"><path d="m25 29c127.58 0 231 102.97 231 230s-103.42 230-231 230z" fill="#000" filter="url(#filter-3)"/><path d="m25 29c127.58 0 231 102.97 231 230s-103.42 230-231 230z" fill="url(#linearGradient9150)" fill-rule="evenodd"/></g></g></g></g></g></svg>

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 2.2 KiB

After

Width:  |  Height:  |  Size: 2.1 KiB

70
theme/assets/img/browsers/ublock_origin_lite.svg
View File

@ -1,69 +1 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg
version="1.1"
viewBox="0 0 128 128"
height="128"
width="128"
id="svg86"
sodipodi:docname="ublock.svg"
inkscape:export-filename="../../platform/mv3/extension/img/icon_16.png"
inkscape:export-xdpi="12"
inkscape:export-ydpi="12"
inkscape:version="1.2.1 (9c6d41e410, 2022-07-14)"
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
xmlns="http://www.w3.org/2000/svg"
xmlns:svg="http://www.w3.org/2000/svg">
<defs
id="defs90" />
<sodipodi:namedview
id="namedview88"
pagecolor="#ffffff"
bordercolor="#000000"
borderopacity="0.25"
inkscape:showpageshadow="2"
inkscape:pageopacity="0.0"
inkscape:pagecheckerboard="0"
inkscape:deskcolor="#d1d1d1"
showgrid="true"
inkscape:zoom="5.6734271"
inkscape:cx="-1.6744729"
inkscape:cy="76.232583"
inkscape:window-width="2560"
inkscape:window-height="1377"
inkscape:window-x="0"
inkscape:window-y="40"
inkscape:window-maximized="1"
inkscape:current-layer="svg86">
<inkscape:grid
type="xygrid"
id="grid250"
spacingx="1"
spacingy="1"
empspacing="8" />
</sodipodi:namedview>
<g
style="display:inline;opacity:1"
id="g76">
<g
style="fill:#800000;fill-opacity:1;stroke:#ffffff;stroke-width:1.62100744;stroke-linecap:round;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;display:inline"
transform="matrix(0.6778654,0,0,0.56141828,-241.07537,-247.27712)"
id="g70" />
<g
transform="matrix(-0.6945203,0,0,0.56109687,375.02964,-247.42947)"
style="fill:#800000;fill-opacity:1;stroke:#ffffff;stroke-width:1.60191178000000001;stroke-linecap:round;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;display:inline;stroke-linejoin:round"
id="g74">
<path
d="m 447.83376,669.09921 c -80.63119,-57.03115 -80.63119,-57.03115 -80.63119,-199.60903 34.55623,0 46.07497,0 80.63119,-28.51558 m 0,228.12461 c 80.6312,-57.03115 80.6312,-57.03115 80.6312,-199.60903 -34.55623,0 -46.07497,0 -80.6312,-28.51558"
style="fill:#800000;fill-opacity:1;fill-rule:nonzero;stroke:#ffffff;stroke-width:1.60191178;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none"
id="path72" />
</g>
</g>
<rect
style="fill:#fefefe;fill-opacity:1;stroke-width:0.550132"
id="rect304"
width="63.999996"
height="12"
x="32"
y="58" />
</svg>
<svg width="128" height="128" version="1.1" viewBox="0 0 33.867 33.867" xmlns="http://www.w3.org/2000/svg"><g transform="matrix(.26274 0 0 .26274 .11808 .11808)"><g transform="matrix(-.69452 0 0 .5611 375.03 -247.43)" fill="#800000" stroke="#fff" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.6019"><path d="m447.83 669.1c-80.631-57.031-80.631-57.031-80.631-199.61 34.556 0 46.075 0 80.631-28.516m0 228.12c80.631-57.031 80.631-57.031 80.631-199.61-34.556 0-46.075 0-80.631-28.516" fill="#800000" stroke="#fff" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.6019"/></g></g><rect x="8.5257" y="15.357" width="16.815" height="3.1529" fill="#fefefe" stroke-width=".14454"/></svg>

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 2.6 KiB

After

Width:  |  Height:  |  Size: 709 B

2
theme/assets/img/cloud/tresorit.svg
View File

@ -1 +1 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg width="100%" height="100%" viewBox="0 0 608 704" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve" xmlns:serif="http://www.serif.com/" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linejoin:round;stroke-miterlimit:2;"><path id="symbol" d="M304,0l-304,176l0,352l304,176l304,-176l0,-352l-304,-176Zm-240,212.9l240,-138.94l104.84,60.68l-344.84,198.1l0,-119.84Zm480,278.198l-240,138.94l-240,-138.94l0,-84.54l408.84,-234.86l71.16,41.2l-0,278.2Z" style="fill:url(#_Linear1);fill-rule:nonzero;"/><g id="border" opacity="0.15"><path d="M304,0l304,176l0,352l-304,176l-304,-176l0,-352l304,-176m-240,332.74l344.84,-198.1l-104.84,-60.68l-240,138.94l0,119.84m240,297.298l240,-138.94l0,-278.2l-71.16,-41.2l-408.84,234.86l0,84.54l240,138.94m0,-627.728l-302,174.842l0,349.694l302,174.842l302,-174.842l0,-349.694l-302,-174.842Zm-242,333.884l0,-124.45l0.998,-0.578l240,-138.94l1.002,-0.578l1.002,0.58l104.84,60.68l3.002,1.738l-3.008,1.728l-344.84,198.1l-2.996,1.72Zm242,296.154l-1.002,-0.58l-240,-138.94l-0.998,-0.576l0,-86.85l1.004,-0.578l408.84,-234.86l1,-0.574l0.998,0.578l71.16,41.2l0.998,0.578l-0,280.506l-0.998,0.578l-240,138.94l-1.002,0.578Z" style="fill-rule:nonzero;"/></g><defs><linearGradient id="_Linear1" x1="0" y1="0" x2="1" y2="0" gradientUnits="userSpaceOnUse" gradientTransform="matrix(608,0,0,608,0,351.999)"><stop offset="0" style="stop-color:#00c4d5;stop-opacity:1"/><stop offset="1" style="stop-color:#2b6df1;stop-opacity:1"/></linearGradient></defs></svg>
<svg width="128" height="128" version="1.1" viewBox="0 0 33.867 33.867" xmlns="http://www.w3.org/2000/svg"><defs><linearGradient id="_Linear1" x2="1" gradientTransform="matrix(29.248 0 0 29.248 2.3091 16.933)" gradientUnits="userSpaceOnUse"><stop stop-color="#00c4d5" offset="0"/><stop stop-color="#2b6df1" offset="1"/></linearGradient></defs><g clip-rule="evenodd" stroke-linejoin="round" stroke-miterlimit="2"><path id="symbol" d="m16.933 2.3333e-7 -14.624 8.4667v16.933l14.624 8.4667 14.624-8.4667v-16.933zm-11.545 10.242 11.545-6.6839 5.0434 2.9191-16.589 9.5298zm23.091 13.383-11.545 6.6839-11.545-6.6839v-4.0669l19.668-11.298 3.4232 1.982z" fill="url(#_Linear1)" stroke-width=".048106"/><g id="border" transform="matrix(.048106 0 0 .048106 2.3091 2.1333e-7)" fill-rule="evenodd" opacity=".15"><path d="m304 0 304 176v352l-304 176-304-176v-352l304-176m-240 332.74 344.84-198.1-104.84-60.68-240 138.94v119.84m240 297.3 240-138.94v-278.2l-71.16-41.2-408.84 234.86v84.54l240 138.94m0-627.73-302 174.84v349.69l302 174.84 302-174.84v-349.69zm-242 333.88v-124.45l0.998-0.578 240-138.94 1.002-0.578 1.002 0.58 104.84 60.68 3.002 1.738-347.85 199.83zm242 296.15-1.002-0.58-240-138.94-0.998-0.576v-86.85l1.004-0.578 408.84-234.86 1-0.574 0.998 0.578 71.16 41.2 0.998 0.578v280.51l-0.998 0.578-240 138.94z" fill-rule="nonzero"/></g></g></svg>

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 1.6 KiB

After

Width:  |  Height:  |  Size: 1.3 KiB

1
theme/assets/img/cryptocurrency/monero.svg
View File

@ -1,2 +1 @@
<?xml version="1.0" encoding="UTF-8"?>
<svg width="128" height="128" version="1.1" viewBox="0 0 33.867 33.867" xmlns="http://www.w3.org/2000/svg"><defs><clipPath id="_clip1"><rect width="3756.1" height="3756.5"/></clipPath></defs><g transform="matrix(.0090155 0 0 .0090155 16.933 16.933)"><g transform="translate(-1878,-1878.2)"><clipPath><rect width="3756.1" height="3756.5"/></clipPath><g clip-path="url(#_clip1)"><g transform="translate(-371.96,-371.75)"><path d="m4128 2249.8c0 1037.2-840.74 1878-1878 1878s-1878-840.86-1878-1878 840.76-1878.1 1878-1878.1 1878 840.79 1878 1878.1z" fill="#fff"/><path d="m2250 371.75c-1036.9 0-1879.1 842.06-1877.8 1878 0.26 207.26 33.31 406.63 95.34 593.12h561.88v-1579.9l1220.6 1220.6 1220.5-1220.6v1579.9h562c62.12-186.48 95-385.85 95.37-593.12 1.77-1037-840.89-1877.8-1877.9-1877.8v-0.25z" fill="#f26822"/><path d="m1969.3 2764.2-532.67-532.7v994.14h-407.25l-384.29 0.07c329.63 540.8 925.35 902.56 1604.9 902.56s1275.3-361.84 1605-902.64h-791.75v-994.13l-813.31 813.31-280.62-280.61h-0.02z" fill="#4d4d4d"/></g></g></g></g></svg>

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 1.0 KiB

After

Width:  |  Height:  |  Size: 1.0 KiB

1
theme/assets/img/data-redaction/mat2.svg
View File

File diff suppressed because one or more lines are too long
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 7.9 KiB

After

Width:  |  Height:  |  Size: 7.9 KiB

1
theme/assets/img/email-clients/evolution.svg
View File

File diff suppressed because one or more lines are too long
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 32 KiB

After

Width:  |  Height:  |  Size: 31 KiB

1
theme/assets/img/email-clients/fairemail.svg
View File

@ -1,2 +1 @@
<?xml version="1.0" encoding="UTF-8"?>
<svg width="128" height="128" version="1.1" viewBox="0 0 33.867 33.867" xmlns="http://www.w3.org/2000/svg"><defs><linearGradient id="color-1" x2="0" gradientUnits="userSpaceOnUse"><stop stop-opacity=".3" offset="0"/><stop stop-opacity="0" offset="1"/></linearGradient></defs><g transform="matrix(.7697 0 0 .7697 -1.5394 -1.5394)" font-family="none" font-size="none" font-weight="none" stroke-miterlimit="10" text-anchor="none" style="mix-blend-mode:normal"><path d="m7 43c-1.1046 0-2-0.89543-2-2v-34c0-1.1046 0.89543-2 2-2h34c1.1046 0 2 0.89543 2 2v34c0 1.1046-0.89543 2-2 2z" fill="#039be5"/><path d="m31.816 16.184h-15.632c-1.0796 0-1.9442 0.87442-1.9442 1.954l-0.0098 11.724c0 1.0796 0.87442 1.954 1.954 1.954h15.632c1.0796 0 1.954-0.87442 1.954-1.954v-11.724c0-1.0796-0.87442-1.954-1.954-1.954zm0 3.908-7.8161 4.885-7.8161-4.885v-1.954l7.8161 4.885 7.8161-4.885z" fill="none" stroke-width="0"/><path d="m33.77 18.138v11.724c0 1.0796-0.87442 1.954-1.954 1.954h-15.632c-1.0796 0-1.954-0.87442-1.954-1.954l0.0098-11.724c0-1.0796 0.86465-1.954 1.9442-1.954h15.632c1.0796 0 1.954 0.87442 1.954 1.954zm-1.954 0-7.8161 4.885-7.8161-4.885v1.954l7.8161 4.885 7.8161-4.885z" fill="#fff" stroke-width="0"/><g fill="none"><path d="m2 24c0-12.15 9.8497-22 22-22s22 9.8497 22 22-9.8497 22-22 22-22-9.8497-22-22z"/><rect x="2" y="2" width="44" height="22"/><path d="m2 24v-22h44v22z"/><path d="m2 24v-22h44v22z"/><path d="m2 24v-22h44v22z"/><path d="m2 24v-22h44v22z"/></g></g></svg>

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 1.5 KiB

After

Width:  |  Height:  |  Size: 1.4 KiB

1
theme/assets/img/email/mail-in-a-box.svg
View File

@ -1,2 +1 @@
<?xml version="1.0" encoding="UTF-8"?>
<svg width="128" height="128" version="1.1" viewBox="0 0 33.866 33.866" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><defs><linearGradient id="a" x1="302.86" x2="302.86" y1="366.65" y2="609.51" gradientTransform="matrix(.065534 0 0 .024706 -69.188 10.577)" gradientUnits="userSpaceOnUse"><stop stop-color="#1e1e1e" stop-opacity="0" offset="0"/><stop stop-color="#1e1e1e" offset=".5"/><stop stop-color="#1e1e1e" stop-opacity="0" offset="1"/></linearGradient><radialGradient id="c" cx="605.71" cy="486.65" r="117.14" gradientTransform="matrix(.065534 0 0 .024706 -69.175 10.577)" gradientUnits="userSpaceOnUse" xlink:href="#b"/><linearGradient id="b"><stop stop-color="#1e1e1e" offset="0"/><stop stop-color="#1e1e1e" stop-opacity="0" offset="1"/></linearGradient><radialGradient id="d" cx="605.71" cy="486.65" r="117.14" gradientTransform="matrix(-.065534 0 0 .024706 -21.829 10.577)" gradientUnits="userSpaceOnUse" xlink:href="#b"/><linearGradient id="e" x1="20.053" x2="19.875" y1="8.1634" y2="45.6" gradientTransform="matrix(3.6084 0 0 3.5147 149.74 161.13)" gradientUnits="userSpaceOnUse"><stop stop-color="#fff" offset="0"/><stop stop-color="#cfcfcf" offset=".87427"/><stop stop-color="#999" offset="1"/></linearGradient><linearGradient id="f" x1="28.103" x2="28.103" y1="45" y2="14.038" gradientTransform="matrix(3.6084 0 0 3.871 149.74 145.27)" gradientUnits="userSpaceOnUse"><stop stop-color="#727272" offset="0"/><stop stop-color="#bebebe" offset="1"/></linearGradient><linearGradient id="g" x1="25.577" x2="25.577" y1="15" y2="44.001" gradientTransform="matrix(3.4165 0 0 3.59 154.35 153.64)" gradientUnits="userSpaceOnUse"><stop stop-color="#fff" offset="0"/><stop stop-color="#fff" stop-opacity="0" offset="1"/></linearGradient><linearGradient id="h" x1="23.904" x2="23.904" y1="35.75" y2="16.007" gradientTransform="matrix(3.6012 0 0 3.7508 149.92 163.13)" gradientUnits="userSpaceOnUse" xlink:href="#b"/><linearGradient id="i" x1="23.929" x2="23.929" y1="30.773" y2="45.531" gradientTransform="matrix(3.6011 0 0 3.7509 149.91 150.5)" gradientUnits="userSpaceOnUse" xlink:href="#b"/><filter id="j"><feGaussianBlur stdDeviation=".26986834"/></filter></defs><g transform="matrix(.067732 0 0 .067732 -.08599 -31.492)"><g fill-rule="evenodd"><path d="m1.6244 789.54 81.457 75.272 418.19 1.3058-92.435-71.425z" fill="#4d4d9f" opacity=".62963"/><path d="m1.6244 789.54-0.35482-114.12 402.2 10.922 5.3669 108.36z" fill="#353564" opacity=".62963"/><path d="m408.83 794.69 92.435 71.425-6.751-113.3-91.051-66.477z" fill="#e9e9ff" opacity=".62963"/></g><g transform="matrix(2.1768 0 0 1.9735 -248.28 143.03)"><g transform="matrix(3.8692 0 0 3.8661 412.4 233.11)" stroke-width="1.0304"><path d="m-61.324 19.636h31.644v6h-31.644z" fill="url(#a)" opacity=".40206"/><path d="m-29.68 19.636v5.9997c3.3749 0.01129 8.1588-1.3442 8.1588-3.0002s-3.7661-2.9994-8.1588-2.9994z" fill="url(#c)" opacity=".40206"/><path d="m-61.324 19.636v5.9997c-3.3749 0.01129-8.1588-1.3442-8.1588-3.0002s3.7661-2.9994 8.1588-2.9994z" fill="url(#d)" opacity=".40206"/></g><g stroke-width="7.7322"><rect x="155.21" y="217.07" width="162.32" height="100.46" rx="3.6084" ry="3.5147" fill="url(#e)" fill-rule="evenodd" stroke="url(#f)" stroke-linecap="square" stroke-linejoin="round"/><rect x="162.89" y="223.66" width="146.91" height="86.144" rx=".28204" ry=".27066" fill="none" opacity=".4" stroke="url(#g)" stroke-linecap="square"/><path d="m157.86 222.01 78.489 70.642 76.835-70.642" fill="none" opacity=".5" stroke="url(#h)"/></g><path d="m210.22 275.11-50.26 42.184m103.21-43.578 49.032 43.578" fill="none" opacity=".5" stroke="url(#i)" stroke-width="7.7321"/></g><path d="m83.082 864.81-1.4709-119.63 412.91 7.63 6.751 113.3z" fill="#fd5" fill-rule="evenodd"/><path d="m1.6244 789.54 81.457 75.272-1.4709-119.63-80.341-69.769z" fill="#d4aa00" fill-rule="evenodd"/><g stroke="#8f8f8f"><circle cx="359.5" cy="612.41" r="8.2638" fill="#f9f7f7" stroke-linecap="round" stroke-width="2.9217"/><circle cx="408.41" cy="612.41" r="8.2638" fill="#f9f7f7" stroke-linecap="round" stroke-width="2.9217"/><path transform="matrix(1.4369 0 0 1.4369 -36.477 -365.62)" d="m270.91 697.49c13.287 12.201 26.851 15.309 43.571 0.35715" fill="none" filter="url(#j)" stroke-width="4"/></g></g></svg>

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 4.2 KiB

After

Width:  |  Height:  |  Size: 4.2 KiB

1
theme/assets/img/encryption-software/openkeychain.svg
View File

File diff suppressed because one or more lines are too long
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 20 KiB

After

Width:  |  Height:  |  Size: 20 KiB

1
theme/assets/img/encryption-software/veracrypt-dark.svg
View File

File diff suppressed because one or more lines are too long
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 5.7 KiB

After

Width:  |  Height:  |  Size: 5.7 KiB

1
theme/assets/img/encryption-software/veracrypt.svg
View File

File diff suppressed because one or more lines are too long
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 5.7 KiB

After

Width:  |  Height:  |  Size: 5.7 KiB

1
theme/assets/img/file-sharing-sync/freedombox.svg
View File

File diff suppressed because one or more lines are too long
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 9.3 KiB

After

Width:  |  Height:  |  Size: 9.3 KiB

1
theme/assets/img/financial-services/coincards.svg
View File

@ -1,2 +1 @@
<?xml version="1.0" encoding="UTF-8"?>
<svg width="384" height="128" version="1.1" viewBox="0 0 101.6 33.867" xmlns="http://www.w3.org/2000/svg"><g transform="matrix(1.1073 0 0 1.1073 14.838 -20.88)"><g id="Layer_2_1_"><path class="st1" d="m32.7 23.9c-0.2-1-1.3-1.7-2.3-1.4l-22.7 5.4c-1 0.2-1.7 1.3-1.4 2.3l3.1 12.9c0.2 1 1.3 1.7 2.3 1.4l22.7-5.4c1-0.2 1.7-1.3 1.4-2.3z" fill="#ef8022"/></g><g fill="#ffc214"><path class="st2" d="m9.7 47.4c0.6 0.9 1.8 1.1 2.7 0.5l6.7-4.6-7.4 1.8c-1.3 0.3-2.6-0.5-2.9-1.8l-2.8-11.8-3.3 2.3c-0.9 0.6-1.1 1.8-0.5 2.7z"/><path class="st2" d="m14.2 25.8 11.7-2.8-1.3-2c-0.6-0.9-1.8-1.1-2.7-0.5z"/></g><g fill="#f9f185"><path class="st3" d="m12.6 48.3c-0.2 0.2-0.5 0.3-0.7 0.3l0.8 0.5c0.9 0.6 2.1 0.4 2.7-0.5l3.1-4.4z"/><path class="st3" d="m2.3 37.5-1 1.4c-0.6 0.9-0.4 2.1 0.5 2.7l6.3 4.4z"/><path class="st3" d="m12.9 26.1 7.2-5-2.7-1.9c-0.9-0.6-2.1-0.4-2.7 0.5l-5 7.2z"/></g><path class="st2" d="m11.9 42.8c-0.7 0-1.4-0.5-1.7-1.1l-1.5-3.2 1.1 4.6c0.2 0.6 0.7 1.1 1.4 1.1h0.3l17-4.1-16.2 2.7h-0.4z" fill="#ffc214"/><path class="st0" d="m16 35.5s-1.1 1.2-2.5 1.2c-1.7 0-2.6-1.4-2.6-2.8 0-1.3 0.9-2.7 2.6-2.7 1.3 0 2.3 1 2.3 1l1.1-1.7s-0.6-0.7-1.9-1.1v-1.2h-1.1v1h-0.5-0.1v-1h-1.1v1.1c-2.2 0.5-3.7 2.4-3.7 4.7 0 2.4 1.5 4.2 3.7 4.7v1.2h1.1v-1h0.1 0.5v1.1h1.1v-1.3c1.4-0.4 2.1-1.3 2.1-1.3z" fill="#fff"/><g fill="#fff"><path class="st0" d="m21 31.7c2.1 0 3.8 1.4 3.8 3.6 0 2.1-1.7 3.5-3.8 3.5s-3.8-1.4-3.8-3.5 1.7-3.6 3.8-3.6zm0 5.2c0.8 0 1.5-0.6 1.5-1.6s-0.7-1.7-1.5-1.7-1.5 0.6-1.5 1.7c0 1 0.7 1.6 1.5 1.6z"/><rect class="st0" x="25.3" y="31.9" width="2.3" height="6.7"/><rect class="st0" x="25.3" y="29.3" width="2.2" height="1.8"/><path class="st0" d="m28.5 31.9h2.2v0.6 0.4c0.3-0.5 1-1.2 2.1-1.2 1.4 0 2.4 0.6 2.4 2.5v4.4h-2.3v-4c0-0.6-0.2-0.9-0.7-0.9-0.7 0-1.1 0.4-1.3 1-0.1 0.3-0.1 0.6-0.1 0.9v3h-2.3v-6.7z"/></g><g fill="#ef8022"><path class="st1" d="m39.3 31.9c1.7 0 2.5 1 2.5 1l-0.6 0.9s-0.7-0.8-1.8-0.8c-1.3 0-2.3 1-2.3 2.4 0 1.3 1 2.4 2.3 2.4 1.2 0 2-0.9 2-0.9l0.5 0.9s-0.9 1.1-2.6 1.1c-2.1 0-3.5-1.5-3.5-3.5-0.1-2 1.4-3.5 3.5-3.5z"/><path class="st1" d="m46.1 34.5h0.3v-0.1c0-1.1-0.6-1.5-1.5-1.5-1 0-1.8 0.6-1.8 0.6l-0.5-0.9s1-0.8 2.5-0.8c1.7 0 2.6 0.9 2.6 2.6v4.2h-1.2v-0.6-0.5s-0.5 1.3-2.1 1.3c-1.1 0-2.3-0.7-2.3-2 0-2.2 2.9-2.3 4-2.3zm-1.4 3.3c1.1 0 1.8-1.1 1.8-2.1v-0.2h-0.3c-1 0-2.7 0.1-2.7 1.3-0.1 0.5 0.3 1 1.2 1z"/><path class="st1" d="m48.5 32h1.2v1.2 0.5c0.3-1 1.1-1.7 2.1-1.7h0.3v1.3h-0.4c-0.8 0-1.6 0.6-1.9 1.6-0.1 0.4-0.2 0.8-0.2 1.2v2.7h-1.3v-6.8z"/><path class="st1" d="m55.3 31.9c1.5 0 2 1 2 1v-0.4-3.1h1.3v9.2h-1.2v-0.6-0.4s-0.5 1.2-2.2 1.2c-1.8 0-2.9-1.4-2.9-3.5s1.3-3.4 3-3.4zm0.2 5.8c1 0 1.9-0.7 1.9-2.4 0-1.2-0.6-2.4-1.9-2.4-1 0-1.9 0.9-1.9 2.4s0.8 2.4 1.9 2.4z"/><path class="st1" d="m59.7 36.9s0.7 0.8 1.9 0.8c0.5 0 1.1-0.3 1.1-0.8 0-1.2-3.4-1-3.4-3.1 0-1.2 1.1-1.9 2.4-1.9 1.5 0 2.1 0.7 2.1 0.7l-0.5 1s-0.6-0.6-1.6-0.6c-0.5 0-1.1 0.2-1.1 0.8 0 1.2 3.4 0.9 3.4 3.1 0 1.1-0.9 1.9-2.4 1.9-1.6 0-2.5-1-2.5-1z"/></g></g></svg>

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 2.9 KiB

After

Width:  |  Height:  |  Size: 2.9 KiB

1
theme/assets/img/financial-services/mysudo-dark.svg
View File

File diff suppressed because one or more lines are too long
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 5.0 KiB

After

Width:  |  Height:  |  Size: 4.9 KiB

1
theme/assets/img/financial-services/mysudo.svg
View File

@ -1,2 +1 @@
<?xml version="1.0" encoding="UTF-8"?>
<svg width="384" height="128" version="1.1" viewBox="0 0 101.6 33.867" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><defs><linearGradient id="SVGID_1_" x1="15.528" x2="240.08" y1="27.875" y2="220.72" gradientUnits="userSpaceOnUse"><stop stop-color="#4875F5" offset=".04971"/><stop stop-color="#4B71F4" offset=".1762"/><stop stop-color="#6250EC" offset=".3227"/><stop stop-color="#7238E7" offset=".4579"/><stop stop-color="#782FE5" offset=".5413"/><stop stop-color="#7B2BE4" offset=".6671"/></linearGradient><clipPath id="SVGID_00000008148322744188545190000011776514215319350975_"><use xlink:href="#SVGID_00000000189638345710748290000006527516765547016108_"/></clipPath><clipPath id="SVGID_00000008107224416624678500000006806855999860403361_"><use xlink:href="#SVGID_00000151503631089680849560000015413622321429831852_"/></clipPath><path id="SVGID_00000000189638345710748290000006527516765547016108_" d="m174.3 123.5c-0.1-7.1 5.3-13 12-13.1s12.4 5.7 12.4 12.8c0.1 7.1-5.4 12.9-12.1 13-6.6 0.1-12.2-5.6-12.3-12.7zm-6.9 0.1c0.2 11.2 8.8 20 19.4 19.8 10.7-0.1 19.1-9.2 18.9-20.4s-8.8-20.1-19.5-20c-10.6 0.3-18.9 9.4-18.8 20.6zm-33.5 13.2-0.3-25.6 6.1-0.1c6.9-0.1 12.1 5.3 12.2 12.6s-4.9 12.9-11.8 13zm-6.8 5.9c0 0.6 0.4 1.1 1 1.1l12.6-0.2c10.3-0.1 18.6-9 18.5-19.9-0.1-10.8-8.7-19.4-19-19.3l-12.6 0.2c-0.5 0-1 0.5-0.9 1.1zm-42.9-13.2c0.1 8.5 6.7 15.3 15 15.2 8.4-0.1 14.8-7.1 14.7-15.6l-0.3-23.3c0-0.6-0.5-1.1-1-1.1l-5.1 0.1c-0.6 0-1 0.5-1 1.1l0.3 23c0.1 4.7-3 8.5-7.7 8.6-4.6 0.1-7.8-3.6-7.9-8.4l-0.3-22.9c0-0.6-0.4-1.1-1-1.1l-5.1 0.1c-0.5 0-1 0.5-1 1.1zm-34 11.5c1.1 1 5.1 4.3 11.8 4.2 7.5-0.1 12.2-5.5 12.1-11.3-0.1-7.2-6.1-10.4-11.3-12.5-4.3-1.8-6.3-3.6-6.4-6.2 0-1.8 1.6-3.9 4.6-4 2.9 0 7 2.7 7.5 3 0.6 0.4 1.4 0 1.9-0.7l2-3.2c0.4-0.6 0.2-1.5-0.3-1.8-1.1-0.8-5.3-3.7-10.7-3.6-8.5 0.1-11.9 5.9-11.9 10.9 0.1 6.6 5.2 9.9 10.2 12 4.5 1.8 6.8 3.8 6.9 6.6 0 2.4-2 4.3-4.8 4.4-3.5 0-7.8-3.2-8.1-3.4-0.5-0.4-1.4-0.4-1.8 0.4l-1.9 3.5c-0.6 0.9-0.3 1.2 0.2 1.7z"/><path id="SVGID_00000151503631089680849560000015413622321429831852_" d="m185.1 157.8c-3.6 6-8.2 11.4-13.5 16.1-28.3 24.5-70.9 21.4-95.3-7-1.1-1.3-2.2-2.7-3.2-4.1-1.4-1.8-1-4.5 0.9-5.8 1.8-1.4 4.4-1 5.8 0.9 0.9 1.2 1.9 2.4 2.9 3.6 21.4 25 58.8 27.7 83.6 6.2 4.7-4.1 8.7-8.8 11.9-14.1 1.2-2 3.7-2.6 5.7-1.4 1.8 1 2.4 3.6 1.2 5.6zm-0.9-68.9c-3.8-5.9-8.5-11.2-14-15.7-28.9-23.8-71.5-19.5-95.1 9.6-1.1 1.4-2.1 2.8-3.1 4.2-1.3 1.9-0.8 4.5 1 5.8 1.9 1.3 4.5 0.9 5.8-1 0.9-1.3 1.8-2.5 2.8-3.7 20.7-25.5 58-29.3 83.4-8.5 4.8 4 8.9 8.6 12.3 13.8 1.2 1.9 3.8 2.5 5.7 1.2 1.9-1.2 2.4-3.8 1.2-5.7z"/></defs><g transform="matrix(.12495 0 0 .12495 -1.9367 1.4266)"><path class="st0" d="m214.5 236.2h-173.8c-13.9 0-25.2-11.3-25.2-25.2v-173.8c0-13.9 11.3-25.2 25.2-25.2h173.8c13.9 0 25.2 11.3 25.2 25.2v173.8c-0.1 13.9-11.3 25.2-25.2 25.2z" fill="url(#SVGID_1_)"/><use clip-rule="evenodd" fill="#ffffff" fill-rule="evenodd" xlink:href="#SVGID_00000000189638345710748290000006527516765547016108_"/><clipPath><use xlink:href="#SVGID_00000000189638345710748290000006527516765547016108_"/></clipPath><g clip-path="url(#SVGID_00000008148322744188545190000011776514215319350975_)"><rect class="st2" transform="matrix(.9999 -.013626 .013626 .9999 -1.6792 1.7502)" x="44" y="98.6" width="167.1" height="51.1" fill="#fff"/></g><use fill="#ffffff" xlink:href="#SVGID_00000151503631089680849560000015413622321429831852_"/><clipPath><use xlink:href="#SVGID_00000151503631089680849560000015413622321429831852_"/></clipPath><g clip-path="url(#SVGID_00000008107224416624678500000006806855999860403361_)"><rect class="st2" transform="matrix(.9999 -.013626 .013626 .9999 -1.679 1.7628)" x="66.4" y="52.5" width="124.3" height="143.2" fill="#fff"/></g><path d="m356.8 166.6c-5.4-15.3-17.9-52.5-23.2-69.8h-0.4v69.8h-19.2v-97.2h29.2s21 62.8 23.9 72.3c2.8-9.6 23-72.3 23-72.3h29v97.2h-19.1v-69.8h-0.4c-5.6 17.4-19.2 58-23.3 69.8z"/><path d="m446 194.4 10-27.2-25.7-66.7h20.1s12.4 35.8 15.1 44.6h0.3c2.8-8.7 15-44.6 15-44.6h18.9l-35 93.9z"/><path d="m552.3 108.6c23 3.9 33.6 11.9 33.6 29.4 0 18.7-16.5 30.5-39.2 30.5-24.6 0-39.4-13.9-40.3-29.6l20.8-3.3c1 9.3 7.2 16.1 19.4 16.1 9.9 0 17.9-3.7 17.9-12.6 0-7.2-5.3-10.7-20.4-13.1-20.3-3.2-35.7-9.9-35.7-29.4 0-19.4 15.7-29.2 37.2-29.2 20.1 0 35.3 9.6 38.6 26.7l-21.1 4.6c-1.5-8.9-7.8-14.4-18.1-14.4-10.4 0-15.6 4.2-15.6 10.7 0.3 8.3 7.1 10.9 22.9 13.6z"/><path d="m662.4 166.6h-19.3v-9.7c-3.3 6.2-9.7 11.7-20.3 11.7-12.6 0-22.9-7.5-22.9-22.5v-45.5h20v39.6c0 9 4.6 12.1 10 12.1 6.2 0 12.5-5.4 12.5-17.6v-34h20z"/><path d="m726 108.8v-39.4h20v97.2h-19.3v-9.6c-3.5 6-10.3 11.5-21.7 11.5-16.2 0-29-13.3-29-35 0-21.5 13.2-35 30-35 9.3 0.1 16.4 4.4 20 10.3zm0.2 22.8c0-12.1-7.5-17.6-14.9-17.6-9.2 0-14.9 8.5-14.9 19.6 0 11.2 5.4 19.6 14.2 19.6 7.6 0 15.6-5.4 15.6-17.5z"/><path d="m828.6 133.6c0 21.7-13.9 35-34.6 35-20.6 0-34.4-13.3-34.4-35s13.9-35 34.4-35c20.8 0 34.6 13.3 34.6 35zm-20.2 0c0-11.2-4.3-20-14.3-20-9.9 0-14.2 8.7-14.2 20s4.3 20 14.2 20c10 0 14.3-8.8 14.3-20z"/></g></svg>

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 4.9 KiB

After

Width:  |  Height:  |  Size: 4.9 KiB

1
theme/assets/img/financial-services/privacy_com-dark.svg
View File

@ -1,2 +1 @@
<?xml version="1.0" encoding="UTF-8"?>
<svg width="384" height="128" version="1.1" viewBox="0 0 101.6 33.867" xmlns="http://www.w3.org/2000/svg"><defs><clipPath id="clip0_281_2112"><rect width="96" height="24" fill="#fff"/></clipPath></defs><g transform="matrix(1.0583 0 0 1.0583 1.6e-6 4.2333)" clip-path="url(#clip0_281_2112)"><rect width="96" height="24"/><path d="m96 0v24h-96v-24zm-24.243 5.76c-0.8248 0-1.6151 0.12887-2.3712 0.38661-0.756 0.25773-1.4404 0.63861-2.0533 1.1426-0.6128 0.50402-1.1054 1.177-1.4777 2.0189-0.3722 0.84193-0.5584 1.7898-0.5584 2.8437 0 1.008 0.1862 1.9129 0.5584 2.7148 0.3723 0.8018 0.8706 1.4433 1.4949 1.9244s1.3145 0.8477 2.0705 1.0997 1.5464 0.378 2.3712 0.378c1.26 0 2.4227-0.2577 3.488-0.7732v-2.5258c-0.7331 0.6644-1.7641 0.9966-3.0928 0.9966-0.5384 0-1.0568-0.0774-1.555-0.232-0.4983-0.1546-0.9508-0.3809-1.3575-0.6787-0.4066-0.2978-0.7302-0.6959-0.9708-1.1942-0.2405-0.4983-0.3608-1.0682-0.3608-1.7096 0-1.3517 0.4152-2.3741 1.2457-3.0671s1.83-1.0395 2.9984-1.0395c1.1913 0 2.1936 0.31501 3.0069 0.94503v-2.4571c-1.031-0.51548-2.1764-0.77321-3.4365-0.77321zm-58.821 0.24055h-4.5362v12.028h2.5774v-3.9519h1.9588c3.4594 0 5.189-1.346 5.189-4.0379s-1.7296-4.0378-5.189-4.0378zm13.062 0h-4.9485v12.028h2.5773v-4.2096h1.8901l3.2475 4.2096h2.9725l-3.5911-4.5361c1.7526-0.5613 2.6289-1.7526 2.6289-3.574 0-0.73312-0.1346-1.3631-0.4038-1.8901s-0.6414-0.93358-1.1168-1.22c-0.4754-0.28638-0.9794-0.49256-1.5121-0.61857-0.5326-0.126-1.114-0.18901-1.744-0.18901zm10.965 0h-2.5774v12.028h2.5774zm5.6223 0h-2.7836l4.6736 12.028h2.6461l4.6908-12.028h-2.7835l-3.2303 9.0036zm16.729 0h-2.7835l-4.9142 12.028h2.6633l0.8935-2.2509h5.4983l0.8763 2.2509h2.6633zm20.702 0h-2.9038l4.708 7.7664v4.2612h2.5601v-4.2612l4.6909-7.7664h-2.9039l-3.0756 5.3952zm-22.093 2.3884c0.0573 0.30929 0.1432 0.62429 0.2578 0.94503l1.6839 4.3128h-3.8833l1.6667-4.3128c0.1146-0.27492 0.2062-0.58992 0.2749-0.94503zm-44.866-0.12028c1.6266 0 2.4399 0.58993 2.4399 1.7698 0 1.1799-0.8133 1.7698-2.4399 1.7698h-2.079v-3.5396zm13.062 0c0.5956 0 1.0825 0.13746 1.4605 0.41238s0.567 0.70448 0.567 1.2887c0 0.57271-0.1919 0.99941-0.5756 1.2801-0.3837 0.2806-0.8677 0.421-1.4519 0.421h-2.4915v-3.4022z" clip-rule="evenodd" fill="#fff" fill-rule="evenodd"/></g></svg>

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 2.2 KiB

After

Width:  |  Height:  |  Size: 2.2 KiB

1
theme/assets/img/financial-services/privacy_com.svg
View File

@ -1,2 +1 @@
<?xml version="1.0" encoding="UTF-8"?>
<svg width="384" height="128" version="1.1" viewBox="0 0 101.6 33.867" xmlns="http://www.w3.org/2000/svg"><path d="m101.6 4.28v25.308h-101.6v-25.31h101.6zm-25.657 6.0733c-0.87347 0-1.7102 0.13667-2.5103 0.40898a6.9003 6.9003 0 0 0-2.1731 1.2037c-0.64913 0.53232-1.1698 1.242-1.5635 2.1296-0.39517 0.88902-0.59126 1.8867-0.59126 2.9985 0 1.0622 0.19748 2.0179 0.59266 2.8632 0.39254 0.84528 0.92001 1.5214 1.5804 2.0292 0.66181 0.50772 1.3914 0.89346 2.1915 1.16 0.80008 0.26308 1.6368 0.39804 2.5103 0.39804 1.3335 0 2.564-0.26992 3.6915-0.81556v-2.663c-0.77613 0.70008-1.8669 1.0499-3.2738 1.0499-0.57011 0-1.1191-0.082-1.6454-0.24258a4.8458 4.8458 0 0 1-1.4365-0.71579 3.3105 3.3105 0 0 1-1.0274-1.2601 4.0838 4.0838 0 0 1-0.38239-1.802c0-1.4254 0.43894-2.5034 1.3179-3.2342 0.87914-0.73083 1.9375-1.0964 3.1736-1.0964 1.2601 0 2.3213 0.33142 3.182 0.9963v-2.5909c-1.0907-0.54325-2.3029-0.81556-3.6364-0.81556zm-62.253 0.25283h-4.8006v12.683h2.7277v-4.1661h2.0743c3.6604 0 5.4892-1.4196 5.4892-4.2573 0-2.8389-1.8288-4.2587-5.4892-4.2587zm13.823 0h-5.2367v12.683h2.7277v-4.4394h2.001l3.436 4.4394h3.1468l-3.8015-4.7827c1.8556-0.59143 2.7827-1.8484 2.7827-3.7677 0-0.77319-0.14251-1.4381-0.42771-1.9936a3.1228 3.1228 0 0 0-1.1826-1.2857 5.5809 5.5809 0 0 0-1.6002-0.65327 8.0462 8.0462 0 0 0-1.8457-0.19475zm11.605 0h-2.7263v12.683h2.7277v-12.683zm5.9506 0h-2.9464l4.9474 12.683h2.7997l4.9643-12.683h-2.945l-3.4191 9.494zm17.705 0h-2.9464l-5.1999 12.683h2.8179l0.94546-2.3736h5.8194l0.92711 2.3736h2.8194zm21.909 0h-3.0734l4.9826 8.1901v4.493h2.7094v-4.4904l4.9643-8.1901h-3.072l-3.2554 5.6896-3.2554-5.6896zm-23.382 2.5191c0.06082 0.32458 0.15102 0.65771 0.27231 0.9963l1.7823 4.548h-4.1091l1.7639-4.548c0.12163-0.287 0.21867-0.62081 0.29042-0.9963zm-47.484-0.12642c1.7216 0 2.5823 0.62081 2.5823 1.8669 0 1.2433-0.86074 1.8655-2.5823 1.8655h-2.1999v-3.734h2.2013zm13.825 0c0.62934 0 1.1444 0.14692 1.5452 0.4346 0.40053 0.29042 0.59974 0.74381 0.59974 1.3588 0 0.60373-0.20309 1.0544-0.60823 1.3506-0.40638 0.29725-0.91858 0.44314-1.5381 0.44314h-2.636v-3.5871z" clip-rule="evenodd" fill-rule="evenodd" stroke-width="1.4111"/></svg>

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 2.1 KiB

After

Width:  |  Height:  |  Size: 2.1 KiB

1
theme/assets/img/frontends/freetube.svg
View File

@ -1,2 +1 @@
<?xml version="1.0" encoding="UTF-8"?>
<svg width="128" height="128" version="1.1" viewBox="0 0 33.867 33.867" xmlns="http://www.w3.org/2000/svg"><g transform="matrix(.82602 0 0 .82602 -9.9122 -9.9122)"><path d="m14.75 13c-1.5235 0-2.75 1.2746-2.75 2.8574v30c0 4.2857 5.5 7.1426 8.25 7.1426h2.75v-37.143c0-1.5829-1.2265-2.8574-2.75-2.8574zm14.092 0c-1.5745 0-2.8418 1.2265-2.8418 2.75v5.5c0 1.5235 1.2673 2.75 2.8418 2.75h17.053c4.2632 0 7.1055-5.5 7.1055-8.25v-2.75h-7.1055zm-1.5215 14a1.2913 1.1415 0 0 0-1.3203 1.1426v14.719a1.2913 1.1415 0 0 0 1.9355 0.98633l7.2109-3.6797 7.209-3.6797a1.2913 1.1415 0 0 0 0-1.9766l-7.209-3.6777-7.2109-3.6797a1.2913 1.1415 0 0 0-0.61524-0.1543z" opacity=".1"/><path d="m14.75 12c-1.5235 0-2.75 1.2743-2.75 2.8571v30c0 4.2857 5.5 7.1429 8.25 7.1429h2.75v-37.143c0-1.5829-1.2265-2.8571-2.75-2.8571z" fill="#f04242"/><path d="m26 20.25c0 1.5235 1.2676 2.75 2.8421 2.75h17.053c4.2632 0 7.1053-5.5 7.1053-8.25v-2.75h-24.158c-1.5745 0-2.8421 1.2265-2.8421 2.75z" fill="#f04242"/><path d="m27.321 26a1.2913 1.1415 0 0 0-1.3213 1.1426v14.718a1.2913 1.1415 0 0 0 1.9361 0.98692l14.419-7.3588a1.2913 1.1415 0 0 0 0-1.9762l-14.419-7.3588a1.2913 1.1415 0 0 0-0.61487-0.15331z" fill="#14a4df"/></g></svg>

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 1.2 KiB

After

Width:  |  Height:  |  Size: 1.2 KiB

1
theme/assets/img/layout/network-anonymous-routing.svg
View File

File diff suppressed because one or more lines are too long
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 14 KiB

After

Width:  |  Height:  |  Size: 14 KiB

1
theme/assets/img/layout/network-centralized.svg
View File

@ -1,2 +1 @@
<?xml version="1.0" encoding="UTF-8"?>
<svg width="128" height="128" version="1.1" viewBox="0 0 33.867 33.867" xmlns="http://www.w3.org/2000/svg"><g transform="matrix(.32208 0 0 .32208 -3.6371 -3.6592)"><path transform="scale(.75294)" d="m84.824 138.56v-34.412m-13.655-32.975-24.337-24.337m37.992 18.677v-34.412m-19.315 53.727h-34.412m67.387-13.655 24.337-24.337m-24.337 51.652 24.337 24.337m-18.677-37.992h34.412m-91.724 37.992 24.337-24.337" fill="none" stroke="#999" stroke-miterlimit="10" stroke-width="1.932"/><path d="m69.93 110.38c0.02344 2.1836-1.125 4.207-3.0117 5.3047-1.8828 1.0977-4.2148 1.0977-6.0977 0-1.8867-1.0977-3.0352-3.1211-3.0117-5.3047 0.03516-3.3203 2.7383-5.9922 6.0586-5.9922s6.0234 2.6719 6.0625 5.9922z" fill="#7dccba"/><path d="m78.414 63.867c0 8.0352-6.5117 14.547-14.547 14.547-8.0312 0-14.543-6.5117-14.543-14.547 0-8.0312 6.5117-14.543 14.543-14.543 8.0352 0 14.547 6.5117 14.547 14.543z" fill="#fc3"/><path d="m37.039 30.98c0.02344 2.1797-1.125 4.207-3.0117 5.3047-1.8828 1.0977-4.2148 1.0977-6.0977 0-1.8867-1.0977-3.0352-3.125-3.0117-5.3047 0.03516-3.3203 2.7383-5.9961 6.0586-5.9961s6.0234 2.6758 6.0625 5.9961zm32.891-13.625c0.02344 2.1797-1.125 4.207-3.0117 5.3047-1.8828 1.0977-4.2148 1.0977-6.0977 0-1.8867-1.0977-3.0352-3.125-3.0117-5.3047 0.03516-3.3203 2.7383-5.9922 6.0586-5.9922s6.0234 2.6719 6.0625 5.9922zm-46.516 46.516c0.02344 2.1797-1.125 4.207-3.0117 5.3047-1.8828 1.0977-4.2148 1.0977-6.0977 0-1.8867-1.0977-3.0352-3.125-3.0117-5.3047 0.03906-3.3203 2.7422-5.9961 6.0625-5.9961s6.0234 2.6758 6.0586 5.9961zm79.406-32.891c0.0234 2.1797-1.125 4.207-3.0117 5.3047-1.8828 1.0977-4.2148 1.0977-6.0977 0-1.8867-1.0977-3.0352-3.125-3.0117-5.3047 0.03516-3.3203 2.7383-5.9961 6.0586-5.9961s6.0234 2.6758 6.0625 5.9961zm-65.781 65.781c0.02344 2.1797-1.125 4.207-3.0117 5.3047-1.8828 1.0976-4.2148 1.0976-6.0977 0-1.8867-1.0977-3.0352-3.125-3.0117-5.3047 0.03516-3.3203 2.7383-5.9922 6.0586-5.9922s6.0234 2.6719 6.0625 5.9922zm65.781 0c0.0234 2.1797-1.125 4.207-3.0117 5.3047-1.8828 1.0976-4.2148 1.0976-6.0977 0-1.8867-1.0977-3.0352-3.125-3.0117-5.3047 0.03516-3.3203 2.7383-5.9922 6.0586-5.9922s6.0234 2.6719 6.0625 5.9922zm13.621-32.891c0.0273 2.1797-1.125 4.207-3.0078 5.3047-1.8867 1.0977-4.2148 1.0977-6.1016 0-1.8828-1.0977-3.0352-3.125-3.0078-5.3047 0.0352-3.3203 2.7383-5.9961 6.0586-5.9961s6.0234 2.6758 6.0586 5.9961z" fill="#7dccba"/></g></svg>

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 2.3 KiB

After

Width:  |  Height:  |  Size: 2.3 KiB

1
theme/assets/img/layout/network-decentralized.svg
View File

@ -1,2 +1 @@
<?xml version="1.0" encoding="UTF-8"?>
<svg width="128" height="128" version="1.1" viewBox="0 0 33.867 33.867" xmlns="http://www.w3.org/2000/svg"><g transform="matrix(.075623 0 0 .075623 -1.1343 4.2328)"><path d="m373.55 121.64-13.618-28.28m-245.99 153.64-32.342-119.76m-20.008-12.029-30.601 6.985m33.727-20.683-24.54-19.57m74.399 0-24.54 19.57m-12.66-6.097v-31.387m15.925 50.508 114.64 21.088m-137.59-9.428-13.618 28.279m154.48-26.017-24.54-19.57m198.86 97.472-146.73-61.543m-48.517-74.928 26.471 54.12m-88.092 126.3 84.706-99.43m9.682-28.496-1.166-23.035m116.33-13.767-99.65 46.166m22.507-22.859-24.54 19.57m14.224-88.658-22.63 83.13m-63.573 150.29-30.601-6.985m21.413-33.269-24.54 19.57m7.985 52.964-13.619-28.28m-19.684-24.684-24.54-19.57m21.413 33.269-30.6 6.984m39.361 4.001-13.619 28.28m295.91-78.292-13.619 28.28m57.844-72.533-24.54 19.57m7.984 52.963-13.618-28.28m39.361-4.001-30.6-6.984m-15.787-19.795v-31.387m-15.785 51.182-30.601 6.984m-13.827-154.53-24.54-19.57m37.199 13.474v-31.389m37.199 17.915-24.54 19.57m33.728 20.683-30.6-6.985" fill="none" stroke="#999" stroke-miterlimit="10" stroke-width="1.943"/><path d="m377.06 120.84a8.096 8.096 0 1 1 0 16.192 8.096 8.096 0 0 1 0-16.192z" fill="#7fcdbb"/><path d="m77.375 95.412c8.943 0 16.192 7.25 16.192 16.192 0 8.943-7.249 16.192-16.192 16.192-8.942 0-16.191-7.25-16.191-16.192s7.249-16.192 16.191-16.192z" fill="#fc3"/><path d="m33.847 68.795a8.096 8.096 0 1 1 0 16.192 8.096 8.096 0 0 1 0-16.192zm-10.751 47.102a8.096 8.096 0 1 1 0 16.192 8.096 8.096 0 0 1 0-16.192zm54.279-68.064a8.096 8.096 0 1 1 0 16.192 8.096 8.096 0 0 1 0-16.192zm-24.156 105.84a8.096 8.096 0 1 1 0 16.192 8.096 8.096 0 0 1 0-16.192zm67.685-84.875a8.096 8.096 0 1 1 0 16.192 8.096 8.096 0 0 1 0-16.192z" fill="#7fcdbb"/><path d="m223.87 122.36c8.943 0 16.192 7.25 16.192 16.192s-7.249 16.192-16.192 16.192c-8.942 0-16.191-7.25-16.191-16.192 0-8.943 7.249-16.192 16.191-16.192z" fill="#fc3"/><path d="m252.88 23.889a8.096 8.096 0 1 1 0 16.192 8.096 8.096 0 0 1 0-16.192zm-72.539 71.853a8.096 8.096 0 1 1 0 16.192 8.096 8.096 0 0 1 0-16.192zm41.134-12.579a8.096 8.096 0 1 1 0 16.192 8.096 8.096 0 0 1 0-16.192zm45.923 12.579a8.096 8.096 0 1 1 0 16.192 8.096 8.096 0 0 1 0-16.192zm-80.671-41.225a8.096 8.096 0 1 1 0 16.192 8.096 8.096 0 0 1 0-16.192zm-14.284 212.41a8.096 8.096 0 1 1 0 16.192 8.096 8.096 0 0 1 0-16.192zm-10.752-47.102a8.096 8.096 0 1 1 0 16.192 8.096 8.096 0 0 1 0-16.192zm-19.371 84.875a8.096 8.096 0 1 1 0 16.192 8.096 8.096 0 0 1 0-16.192z" fill="#7fcdbb"/><path d="m118.16 246.44c8.943 0 16.192 7.25 16.192 16.192s-7.25 16.192-16.192 16.192-16.192-7.25-16.192-16.192c0-8.943 7.25-16.192 16.192-16.192z" fill="#fc3"/><path d="m74.633 219.82a8.096 8.096 0 1 1 0 16.192 8.096 8.096 0 0 1 0-16.192zm-10.75 47.102a8.096 8.096 0 1 1 0 16.192 8.096 8.096 0 0 1 0-16.192zm30.122 37.773a8.096 8.096 0 1 1 0 16.192 8.096 8.096 0 0 1 0-16.192z" fill="#7fcdbb"/><path d="m400.46 196.43c8.943 0 16.192 7.25 16.192 16.192 0 8.943-7.249 16.192-16.192 16.192-8.942 0-16.191-7.25-16.191-16.192s7.249-16.192 16.191-16.192z" fill="#fc3"/><path d="m454.74 216.91a8.096 8.096 0 1 1 0 16.192 8.096 8.096 0 0 1 0-16.192zm-108.56 0a8.096 8.096 0 1 1 0 16.192 8.096 8.096 0 0 1 0-16.192zm54.279-68.064a8.096 8.096 0 1 1 0 16.192 8.096 8.096 0 0 1 0-16.192zm-24.157 105.84a8.096 8.096 0 1 1 0 16.192 8.096 8.096 0 0 1 0-16.192zm67.686-84.875a8.096 8.096 0 1 1 0 16.192 8.096 8.096 0 0 1 0-16.192zm-19.372 84.875a8.096 8.096 0 1 1 0 16.192 8.096 8.096 0 0 1 0-16.192z" fill="#7fcdbb"/><path d="m352.9 62.58c8.943 0 16.192 7.249 16.192 16.191 0 8.943-7.25 16.192-16.192 16.192s-16.192-7.25-16.192-16.192 7.25-16.192 16.192-16.192z" fill="#fc3"/><path d="m407.18 83.064a8.096 8.096 0 1 1 0 16.192 8.096 8.096 0 0 1 0-16.192zm-97.809-47.102a8.096 8.096 0 1 1 0 16.192 8.096 8.096 0 0 1 0-16.192zm43.529-20.962a8.096 8.096 0 1 1 0 16.192 8.096 8.096 0 0 1 0-16.192zm43.529 20.962a8.096 8.096 0 1 1 0 16.192 8.096 8.096 0 0 1 0-16.192z" fill="#7fcdbb"/></g></svg>

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 3.9 KiB

After

Width:  |  Height:  |  Size: 3.9 KiB

Some files were not shown because too many files have changed in this diff Show More