From c2e570dfbd7d11d0951ccde1749ed606fcf3ddb1 Mon Sep 17 00:00:00 2001 From: Jonah Aragon Date: Tue, 19 May 2026 14:22:38 -0500 Subject: [PATCH] style: Normalize headers across recommendations --- .../tools/advanced/device-integrity/index.md | 8 +-- .../self-hosting/social-networks/index.md | 6 +- content/tools/services/dns/index.md | 2 - content/tools/services/vpn/index.md | 70 +++++++++---------- 4 files changed, 42 insertions(+), 44 deletions(-) diff --git a/content/tools/advanced/device-integrity/index.md b/content/tools/advanced/device-integrity/index.md index 775fdbe2c..b4e3c58cc 100644 --- a/content/tools/advanced/device-integrity/index.md +++ b/content/tools/advanced/device-integrity/index.md @@ -21,13 +21,13 @@ These tools can be used to validate the integrity of your mobile devices and che It is **critical** to understand that scanning your device for public indicators of compromise is **not sufficient** to determine that a device is "clean", and not targeted with a particular spyware tool. Reliance on these publicly-available scanning tools can miss recent security developments and give you a false sense of security. -## General Advice +## Advice The majority of system-level exploits on modern mobile devices—especially zero-click compromises—are non-persistent, meaning they will not remain or run automatically after a reboot. For this reason, we highly recommend rebooting your device regularly. We recommend everybody reboot their devices once a week at minimum, but if non-persistent malware is of particular concern for you, we and many security experts recommend a daily reboot schedule. This means an attacker would have to regularly re-infect your device to retain access, although we'll note this is not impossible. Rebooting your device also will not protect you against *persistent* malware, but this is less common on mobile devices due to modern security features like secure/verified boot. -## Post-Compromise Information & Disclaimer +### Post-Compromise Information & Disclaimer If any of the following tools indicate a potential compromise by spyware such as Pegasus, Predator, or KingsPawn, we advise that you contact: @@ -57,9 +57,9 @@ External verification tools run on your computer and scan your mobile device for > [!CAUTION] > Public indicators of compromise are insufficient to determine that a device is "clean", and not targeted with a particular spyware tool. Reliance on public indicators alone can miss recent forensic traces and give a false sense of security. -> +> > Reliable and comprehensive digital forensic support and triage require access to non-public indicators, research, and threat intelligence. -> +> > Such support is available to civil society through [Amnesty International's Security Lab](https://amnesty.org/en/tech) or [Access Now’s Digital Security Helpline](https://accessnow.org/help). These tools can trigger false-positives. If any of these tools finds indicators of compromise, you need to dig deeper to determine your actual risk. Some reports may be false positives based on websites you've visited in the past, and findings which are many years old are likely either false-positives or indicate previous (and no longer active) compromise. diff --git a/content/tools/self-hosting/social-networks/index.md b/content/tools/self-hosting/social-networks/index.md index a484123d3..b26839a3c 100644 --- a/content/tools/self-hosting/social-networks/index.md +++ b/content/tools/self-hosting/social-networks/index.md @@ -24,11 +24,13 @@ These privacy-respecting **social networks** allow you to participate in online A growing problem among social media platforms is censorship in two different forms. First, they often acquiesce to illegitimate censorship requests, either from malicious governments or their own internal policies. Second, they often require accounts to access walled-off content that would otherwise be published freely on the open internet; this effectively censors the browsing activities of privacy-conscious users who are unable to pay the privacy cost of opening an account on these networks. +## Recommendations + The social networks we recommend solve the issue of censorship by operating atop an open and decentralized social networking protocol. They also don't require an account merely to view publicly available content. You should note that **no** social networks are appropriate for private or sensitive communications. For chatting directly with others, you should use a recommended [instant messenger](../../services/messengers/index.md) with strong end-to-end encryption, and only use direct messages on social media in order to establish a more private and secure chat platform with your contacts. -## Decentralization +### Decentralization Decentralized social networks are built on an architecture that is fundamentally different than mainstream social media platforms, yet quite similar to the underlying structure of email. Instead of opening an account under a single, unified service like you would for Facebook or Discord, you instead choose an independent, public server to join. The server you join can communicate with and discover other servers; this aspect of decentralization is also known as *federation*. @@ -36,7 +38,7 @@ A significant benefit of this decentralized model is that there is no central au A caveat of this decentralized model is that each server is its own legal entity, with its own privacy policy, terms of use, administration team, and moderators. While many of these servers are far *less* restrictive and more privacy-respecting than traditional social media platforms, some can be far *more* restrictive or potentially *worse* for your privacy. Typically, the software on which the social network runs does not discriminate between these administrators or place any limitations on their powers. -## Censorship Resistance +### Censorship Resistance While censorship in decentralized social networks does not exist on a network level, it is very possible to experience censorship on a server level depending on a server's administrator. Administrators have the power to *defederate* from other servers, which leads to limiting the content you can view and the people you can interact with. diff --git a/content/tools/services/dns/index.md b/content/tools/services/dns/index.md index dd9145652..c1a437fb5 100644 --- a/content/tools/services/dns/index.md +++ b/content/tools/services/dns/index.md @@ -21,8 +21,6 @@ Encrypted **DNS** with third-party servers should only be used to get around bas [Learn more about DNS](../../../wiki/advanced/dns-overview/index.md) -## Recommended Providers - These are our favorite public DNS resolvers based on their privacy and security characteristics, and their worldwide performance. Some of these services offer basic DNS-level blocking of malware or trackers depending on the server you choose, but if you want to be able to see and customize what is blocked, you should use a dedicated DNS filtering product instead. | DNS Provider | Protocols | Logging / Privacy Policy | [ECS](../../../wiki/advanced/dns-overview/index.md#what-is-edns-client-subnet-ecs) | Filtering | Signed Apple Profile | diff --git a/content/tools/services/vpn/index.md b/content/tools/services/vpn/index.md index b229b1447..36e337f2f 100644 --- a/content/tools/services/vpn/index.md +++ b/content/tools/services/vpn/index.md @@ -27,8 +27,6 @@ If you're looking for additional *privacy* from your ISP, on a public Wi-Fi netw [Detailed VPN Overview](../../../wiki/basics/vpn-overview/index.md) -## Recommended Providers - Our recommended providers use encryption, support WireGuard & OpenVPN, and have a no logging policy. Read our [full list of criteria](#criteria) for more information. | Provider | Countries | WireGuard | Port Forwarding | IPv6 | Anonymous Payments | @@ -37,7 +35,7 @@ Our recommended providers use encryption, support WireGuard & OpenVPN, and have | [IVPN](#ivpn) | 41+ | Yes | No | Outgoing Only | Monero Cash | | [Mullvad](#mullvad) | 49+ | Yes | No | Yes | Monero Cash | -### Proton VPN +## Proton VPN {{< title-card >}} @@ -57,7 +55,7 @@ Our recommended providers use encryption, support WireGuard & OpenVPN, and have [{{< badge content="App Store" color="blue" >}}](https://apps.apple.com/app/id1437005085) [{{< badge content="GitHub" >}}](https://github.com/ProtonVPN/android-app/releases) -#### 127 Countries +### 127 Countries Proton VPN has [servers in 127 countries](https://protonvpn.com/vpn-servers)(1) or [10](https://protonvpn.com/support/how-to-create-free-vpn-account) if you use their [free plan](https://protonvpn.com/blog/product-roadmap-winter-2025-2026).(2) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. { .annotate } @@ -67,58 +65,58 @@ Proton VPN has [servers in 127 countries](https://protonvpn.com/vpn-servers)(1) We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). -#### Independently Audited +### Independently Audited Independent security researcher Ruben Santamarta conducted audits for Proton VPN's [browser extensions](https://drive.proton.me/urls/RWDD2SHT98#v7ZrwNcafkG8) and [apps](https://drive.proton.me/urls/RVW8TXG484#uTXX5Fc9GADo) in September 2024 and January 2025, respectively. Proton VPN's infrastrcture has undergone [annual audits](https://protonvpn.com/blog/no-logs-audit) by Securitum since 2022. Previously, Proton VPN underwent an independent audit by SEC Consult in January 2020. SEC Consult found some medium and low risk vulnerabilities in Proton VPN's Windows, Android, and iOS applications, all of which were "properly fixed" by Proton VPN before the reports were published. None of the issues identified would have provided an attacker remote access to your device or traffic. You can view individual reports for each platform in their dedicated [blog post](https://web.archive.org/web/20250307041036/https://protonvpn.com/blog/open-source) on the audit. -#### Open-Source Clients +### Open-Source Clients Proton VPN provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/ProtonVPN). -#### Accepts Cash +### Accepts Cash Proton VPN, in addition to accepting credit/debit cards, PayPal, and [Bitcoin](../../../wiki/advanced/payments/index.md#other-coins-bitcoin-ethereum-etc), also accepts **cash/local currency** as an anonymous form of payment. -#### WireGuard Support +### WireGuard Support Proton VPN supports the WireGuard® protocol. [WireGuard](https://wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://wireguard.com/protocol). Additionally, WireGuard aims to be simpler and more performant. Proton VPN [recommends](https://protonvpn.com/blog/wireguard) the use of WireGuard with their service. Proton VPN also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://wireguard.com/install). -#### Limited IPv6 Support +### Limited IPv6 Support Proton [now supports IPv6](https://protonvpn.com/support/prevent-ipv6-vpn-leaks) in their browser extension and Linux client, but only 80% of their servers are IPv6-compatible. On other platforms, the Proton VPN client will block all outgoing IPv6 traffic, so you don't have to worry about your IPv6 address being leaked, but you will not be able to connect to any IPv6-only sites, nor will you be able to connect to Proton VPN from an IPv6-only network. -#### Remote Port Forwarding +### Remote Port Forwarding Proton VPN currently only supports ephemeral remote [port forwarding](https://protonvpn.com/support/port-forwarding) via NAT-PMP, with 60 second lease times. The official Windows and Linux apps provide an easy-to-access option for it, while on other operating systems you'll need to run your own [NAT-PMP client](https://protonvpn.com/support/port-forwarding-manual-setup). Torrent applications often support NAT-PMP natively. -#### Anti-Censorship +### Anti-Censorship Proton VPN has their [Stealth](https://protonvpn.com/blog/stealth-vpn-protocol) protocol which *may* help in situations where VPN protocols like OpenVPN or WireGuard are blocked with various rudimentary techniques. Stealth encapsulates the VPN tunnel in TLS session in order to look like more generic internet traffic. Unfortunately, it does not work very well in countries where sophisticated filters that analyze all outgoing traffic in an attempt to discover encrypted tunnels are deployed. Stealth is available on Android, iOS, Windows, and macOS, but it's not yet available on Linux. -#### Mobile Clients +### Mobile Clients Proton VPN has published [App Store](https://apps.apple.com/app/id1437005085) and [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) clients, both supporting an easy-to-use interface as opposed to requiring you to manually configure your WireGuard connection. The Android client is also available on [GitHub](https://github.com/ProtonVPN/android-app/releases). > [!TIP] > On Android, Proton hides telemetry settings under the misleadingly labeled "**Help us fight censorship**" menu in the settings panel. On other platforms these settings can be found under the "**Usage statistics**" menu. We are noting this because while we don't necessarily recommend against sharing anonymous usage statistics with developers, it is important that these settings are easily found and clearly labeled. -#### Additional Notes +### Additional Notes Proton VPN clients support two-factor authentication on all platforms. Proton VPN has their own servers and datacenters in Switzerland, Iceland and Sweden. They offer content blocking and known-malware blocking with their DNS service. Additionally, Proton VPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using [the official Tor Browser](../../software/tor/index.md#tor-browser) for this purpose. -##### Kill switch feature provides poor protections on macOS +#### Kill switch feature provides poor protections on macOS Proton VPN's kill switch on macOS does not block any traffic when you intentionally disconnect from the VPN, *including when you disconnect by switching servers.* You should not make any sensitive connections while the VPN is turned off, nor when switching servers. It is only designed to prevent traffic leaks in the case of an unexpected VPN disconnection, which is still a useful feature to have, but it does not provide the same level of protection as a kill switch that blocks all traffic when the VPN is turned off. Additionally, system crashes [may occur](https://protonvpn.com/support/macos-t2-chip-kill-switch) on Intel-based Macs when using the VPN kill switch. If you require this feature, and you are using a Mac with Intel chipset, you should consider using another VPN service. -### IVPN +## IVPN {{< title-card >}} @@ -139,7 +137,7 @@ Additionally, system crashes [may occur](https://protonvpn.com/support/macos-t2- [{{< badge content="Accrescent" >}}](https://accrescent.app/app/net.ivpn.client) [{{< badge content="GitHub" >}}](https://github.com/ivpn/android-app/releases) -#### 41 Countries +### 41 Countries IVPN has [servers in 41 countries](https://ivpn.net/status).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. { .annotate } @@ -148,45 +146,45 @@ IVPN has [servers in 41 countries](https://ivpn.net/status).(1) Picking a VPN pr We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). -#### Independently Audited +### Independently Audited IVPN has had multiple [independent audits](https://ivpn.net/en/blog/tags/audit) since 2019 and has publicly announced their commitment to [annual security audits](https://ivpn.net/blog/ivpn-apps-security-audit-concluded). -#### Open-Source Clients +### Open-Source Clients As of February 2020 [IVPN applications are now open source](https://ivpn.net/blog/ivpn-applications-are-now-open-source). Source code can be obtained from their [GitHub organization](https://github.com/ivpn). -#### Accepts Cash and Monero +### Accepts Cash and Monero In addition to accepting credit/debit cards and PayPal, IVPN accepts Bitcoin, **Monero** and **cash/local currency** (on annual plans) as anonymous forms of payment. You can also purchase [prepaid cards](https://ivpn.net/knowledgebase/billing/voucher-cards-faq) with redeem codes. -#### WireGuard Support +### WireGuard Support IVPN supports the WireGuard® protocol. [WireGuard](https://wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://wireguard.com/protocol). Additionally, WireGuard aims to be simpler and more performant. IVPN [recommends](https://ivpn.net/wireguard) the use of WireGuard with their service and, as such, the protocol is the default on all of IVPN's apps. IVPN also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://wireguard.com/install). -#### IPv6 Support +### IPv6 Support IVPN allows you to [connect to services using IPv6](https://ivpn.net/knowledgebase/general/do-you-support-ipv6) but doesn't allow you to connect from a device using an IPv6 address. -#### Remote Port Forwarding +### Remote Port Forwarding IVPN previously supported port forwarding, but removed the option in [June 2023](https://ivpn.net/blog/gradual-removal-of-port-forwarding). Missing this feature could negatively impact certain applications, especially peer-to-peer applications like torrent clients. -#### Anti-Censorship +### Anti-Censorship IVPN has obfuscation modes using [V2Ray](https://v2ray.com/en/index) which helps in situations where VPN protocols like OpenVPN or WireGuard are blocked. It has two modes where it can use [VMess](https://guide.v2fly.org/en_US/basics/vmess) over QUIC or TCP connections. QUIC is a modern protocol with better congestion control and therefore may be faster with reduced latency. The TCP mode makes your data appear as regular HTTP traffic. -#### Mobile Clients +### Mobile Clients IVPN has published [App Store](https://apps.apple.com/app/id1193122683) and [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client) clients, both supporting an easy-to-use interface as opposed to requiring you to manually configure your WireGuard connection. The Android client is also available on [GitHub](https://github.com/ivpn/android-app/releases). -#### Additional Notes +### Additional Notes IVPN clients support two-factor authentication. IVPN also provides "[AntiTracker](https://ivpn.net/antitracker)" functionality, which blocks advertising networks and trackers from the network level. -### Mullvad +## Mullvad {{< title-card >}} @@ -206,7 +204,7 @@ IVPN clients support two-factor authentication. IVPN also provides "[AntiTracker [{{< badge content="App Store" color="blue" >}}](https://apps.apple.com/app/id1488466513) [{{< badge content="GitHub" >}}](https://github.com/mullvad/mullvadvpn-app/releases) -#### 49 Countries +### 49 Countries Mullvad has [servers in 49 countries](https://mullvad.net/servers).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. { .annotate } @@ -215,34 +213,34 @@ Mullvad has [servers in 49 countries](https://mullvad.net/servers).(1) Picking a We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). -#### Independently Audited +### Independently Audited Mullvad has had multiple [independent audits](https://mullvad.net/en/blog/tag/audits) and has publicly announced their endeavors to conduct [annual audits](https://mullvad.net/en/blog/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit) of their apps and infrastructure. -#### Open-Source Clients +### Open-Source Clients Mullvad provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/mullvad/mullvadvpn-app). -#### Accepts Cash and Monero +### Accepts Cash and Monero Mullvad, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, Bitcoin Cash, **Monero** and **cash/local currency** as anonymous forms of payment. You can also purchase [prepaid cards](https://mullvad.net/en/help/partnerships-and-resellers) with redeem codes. Mullvad also accepts Swish and bank wire transfers, as well as a few European payment systems. -#### WireGuard Support +### WireGuard Support Mullvad supports the WireGuard® protocol. [WireGuard](https://wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://wireguard.com/protocol). Additionally, WireGuard aims to be simpler and more performant. Mullvad [recommends](https://mullvad.net/en/help/why-wireguard) the use of WireGuard with their service. It is the only protocol supported on their mobile apps, and their desktop apps will [lose OpenVPN support](https://mullvad.net/en/blog/reminder-that-openvpn-is-being-removed) in 2025. Additionally, their servers will stop accepting OpenVPN connections by January 15, 2026. Mullvad also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://wireguard.com/install). -#### IPv6 Support +### IPv6 Support Mullvad allows you to [access services hosted on IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support) and connect from a device using an IPv6 address. -#### Remote Port Forwarding +### Remote Port Forwarding Mullvad previously supported port forwarding, but removed the option in [May 2023](https://mullvad.net/en/blog/2023/5/29/removing-the-support-for-forwarded-ports). Missing this feature could negatively impact certain applications, especially peer-to-peer applications like torrent clients. -#### Anti-Censorship +### Anti-Censorship Mullvad offers several features to help bypass censorship and access the internet freely: @@ -251,11 +249,11 @@ Mullvad offers several features to help bypass censorship and access the interne - **Custom server IPs**: To counter IP-blocking, you can request custom server IPs from Mullvad's support team. Once you receive the custom IPs, you can input the text file in the "Server IP override" settings, which will override the chosen server IP addresses with ones that aren't known to the censor. - **Bridges and proxies**: Mullvad also allows you to use bridges or proxies to reach their API (needed for authentication), which can help bypass censorship attempts that block access to the API itself. -#### Mobile Clients +### Mobile Clients Mullvad has published [App Store](https://apps.apple.com/app/id1488466513) and [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) clients, both supporting an easy-to-use interface as opposed to requiring you to manually configure your WireGuard connection. The Android client is also available on [GitHub](https://github.com/mullvad/mullvadvpn-app/releases). -#### Additional Notes +### Additional Notes Mullvad is very transparent about which nodes they [own or rent](https://mullvad.net/en/servers). They also provide the option to enable Defense Against AI-guided Traffic Analysis ([DAITA](https://mullvad.net/en/blog/daita-defense-against-ai-guided-traffic-analysis)) in their apps. DAITA protects against the threat of advanced traffic analysis which can be used to connect patterns in VPN traffic with specific websites.