privacyguides
/
privacyguides.org
mirror of https://github.com/privacyguides/privacyguides.org.git
1
0
Fork 0
Code Issues Activity

Page formatting consistency (#913)

This commit is contained in:
Jonah Aragon 2022-04-05 10:49:24 -05:00 committed by GitHub
parent e49aa04efc
commit ffdb89720c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 324 additions and 283 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.markdownlint.yml
View File

@ -6,3 +6,4 @@ no-hard-tabs:
spaces-per-tab: 4
emphasis-style:
style: "asterisk"
no-duplicate-header: false

257
docs/browsers.md
View File

@ -8,17 +8,14 @@ These are our current web browser recommendations and settings. We recommend kee
### Tor Browser
!!! anonyimity "This product provides anonymity"
!!! recommendation
![Tor Browser logo](/assets/img/browsers/tor.svg){ align=right }
**Tor Browser** is the choice if you need anonymity. This browser provides you with access to the Tor Bridges and [Tor Network](https://en.wikipedia.org/wiki/Tor_(network)), along with extensions that can be automatically configured to fit its three security levels - *Standard*, *Safer* and *Safest*. We recommend that you do not change any of Tor Browser's default configurations outside of the standard security levels.
!!! anonyimity "This product provides anonyimity"
!!! warning
You should **never** install any additional extensions on Tor Browser, including the ones we suggest for Firefox. Browser extensions make you stand out from other Tor users and your browser easier to [fingerprint](https://support.torproject.org/glossary/browser-fingerprinting).
[Visit torproject.org](https://www.torproject.org){ .md-button .md-button--primary } [:pg-tor:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .md-button } [Privacy Policy](https://support.torproject.org/tbb/tbb-3/){ .md-button }
**Downloads**
@ -30,6 +27,9 @@ These are our current web browser recommendations and settings. We recommend kee
- [:pg-f-droid: F-Droid](https://guardianproject.info/fdroid/)
- [:fontawesome-brands-git: Source](https://trac.torproject.org/projects/tor)
!!! warning
You should **never** install any additional extensions on Tor Browser, including the ones we suggest for Firefox. Browser extensions make you stand out from other Tor users and your browser easier to [fingerprint](https://support.torproject.org/glossary/browser-fingerprinting).
## Desktop Browser Recommendations
### Firefox
@ -40,50 +40,6 @@ These are our current web browser recommendations and settings. We recommend kee
**Firefox** provides strong privacy settings such as [Enhanced Tracking Protection](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop), which can help block various [types of tracking](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop#w_what-enhanced-tracking-protection-blocks).
These options can be found in the *Privacy & Security* settings page ( ≡ → Settings → Privacy & Security).
#### **Enhanced Tracking Protection (ETP)**
<ul style="list-style-type:none;padding-left:0;">
<li>Select: "Strict"</li>
</ul>
#### **Sanitize on Close**
<ul style="list-style-type:none;padding-left:0;">
<li>Select: "Delete cookies and site data when Firefox is closed"</li>
</ul>
You can still stay logged into websites by allowing exceptions.
#### **Disable Search Suggestions**
*These features may not be available depending on your region.*
<ul style="list-style-type:none;padding-left:0;">
<li>Toggle off: "Suggestions from the web"</li>
<li>Toggle off: "Suggestions from sponsors"</li>
<li>Toggle off: "Improve the Firefox Suggest experience"</li>
</ul>
#### **Disable Telemetry**
<ul style="list-style-type:none;padding-left:0;">
<li>Uncheck: "Allow Firefox to send technical and interaction data to Mozilla"</li>
<li>Uncheck: "Allow Firefox to install and run studies"</li>
<li>Uncheck: "Allow Firefox to send backlogged crash reports on your behalf"</li>
</ul>
#### **HTTPS-Only Mode**
<ul style="list-style-type:none;padding-left:0;">
<li>Select: "Enable HTTPS-Only Mode in all windows".</li>
</ul>
#### Sync
The [Firefox sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) service is end-to-end encrypted.
#### Extensions
We generally do not recommend installing any extensions as they increase your [attack surface](https://en.wikipedia.org/wiki/Attack_surface); however, if you want content blocking, [uBlock Origin](/browsers/#additional-resources) might be useful to you. The extension is also a 🏆️ [Recommended Extension](https://support.mozilla.org/kb/add-on-badges#w_recommended-extensions) by Mozilla.
#### Arkenfox (advanced)
The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of carefully considered options for Firefox. These options are quite strict but a few are subjective and may cause some websites to not work properly. You can easily change these settings to suit your needs. We **strongly recommend** reading through their [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox also enables [container](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users) support.
!!! warning
Firefox includes a unique [download token](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) in downloads from Mozilla's website and uses telemetry in Firefox to send the token. The token is **not** included in releases from the [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/).
[Visit firefox.com](https://firefox.com){ .md-button .md-button--primary } [Privacy Policy](https://www.mozilla.org/privacy/firefox){ .md-button }
**Downloads**
@ -93,6 +49,62 @@ These are our current web browser recommendations and settings. We recommend kee
- [:pg-flathub: Flatpak](https://flathub.org/apps/details/org.mozilla.firefox)
- [:fontawesome-brands-git: Source](https://hg.mozilla.org/mozilla-central)
!!! warning
Firefox includes a unique [download token](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) in downloads from Mozilla's website and uses telemetry in Firefox to send the token. The token is **not** included in releases from the [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/).
#### Recommended Configuration
These options can be found in the *Privacy & Security* settings page ( ≡ → Settings → Privacy & Security).
**Enhanced Tracking Protection (ETP):**
<ul style="list-style-type:none;padding-left:0;">
<li>Select: "Strict"</li>
</ul>
**Sanitize on Close:**
<ul style="list-style-type:none;padding-left:0;">
<li>Select: "Delete cookies and site data when Firefox is closed"</li>
</ul>
You can still stay logged into websites by allowing exceptions.
**Disable Search Suggestions:**
*These features may not be available depending on your region.*
<ul style="list-style-type:none;padding-left:0;">
<li>Toggle off: "Suggestions from the web"</li>
<li>Toggle off: "Suggestions from sponsors"</li>
<li>Toggle off: "Improve the Firefox Suggest experience"</li>
</ul>
**Disable Telemetry:**
<ul style="list-style-type:none;padding-left:0;">
<li>Uncheck: "Allow Firefox to send technical and interaction data to Mozilla"</li>
<li>Uncheck: "Allow Firefox to install and run studies"</li>
<li>Uncheck: "Allow Firefox to send backlogged crash reports on your behalf"</li>
</ul>
**HTTPS-Only Mode:**
<ul style="list-style-type:none;padding-left:0;">
<li>Select: "Enable HTTPS-Only Mode in all windows".</li>
</ul>
#### Sync
The [Firefox sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) service is end-to-end encrypted.
#### Extensions
We generally do not recommend installing any extensions as they increase your [attack surface](https://en.wikipedia.org/wiki/Attack_surface); however, if you want content blocking, [uBlock Origin](/browsers/#additional-resources) might be useful to you. The extension is also a 🏆️ [Recommended Extension](https://support.mozilla.org/kb/add-on-badges#w_recommended-extensions) by Mozilla.
#### Arkenfox (advanced)
The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of carefully considered options for Firefox. These options are quite strict but a few are subjective and may cause some websites to not work properly. You can easily change these settings to suit your needs. We **strongly recommend** reading through their [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox also enables [container](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users) support.
## Mobile Browser Recommendations
On Android, Mozilla's engine [GeckoView](https://mozilla.github.io/geckoview/) has yet to support [site isolation](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) or enable [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196). Firefox on Android also doesn't yet have [HTTPS-Only mode](https://github.com/mozilla-mobile/fenix/issues/16952#issuecomment-907960218) built-in. We do not recommend Firefox or any Gecko based browsers at this time.
@ -107,26 +119,28 @@ On iOS, any app that can browse the web is [restricted](https://developer.apple.
**Bromite** is a [Chromium](https://en.wikipedia.org/wiki/Chromium_(web_browser))-based browser with privacy and security enhancements, built-in ad blocking, and some fingerprinting randomization.
These options can be found in *Privacy and Security* ( ⁝ → ⚙️ Settings → Privacy and Security).
#### **HTTPS-Only Mode**
<ul style="list-style-type:none;padding-left:0;">
<li>Select: Always use secure connections.</li>
</ul>
#### **Always-on Incognito Mode**
<ul style="list-style-type:none;padding-left:0;">
<li>Select: "Open links in incognito tabs always"</li>
<li>Select: "Close all open tabs on exit"</li>
<li>Select: "Open external links in incognito"</li>
</ul>
[Visit bromite.org](https://www.bromite.org){ .md-button .md-button--primary } [Privacy Policy](https://www.bromite.org/privacy){ .md-button }
**Downloads**
- [:fontawesome-brands-android: Android](https://www.bromite.org/fdroid)
- [:fontawesome-brands-github: Source](https://github.com/bromite/bromite)
These options can be found in *Privacy and Security* ( ⁝ → ⚙️ Settings → Privacy and Security).
**HTTPS-Only Mode:**
<ul style="list-style-type:none;padding-left:0;">
<li>Select: Always use secure connections.</li>
</ul>
**Always-on Incognito Mode:**
<ul style="list-style-type:none;padding-left:0;">
<li>Select: "Open links in incognito tabs always"</li>
<li>Select: "Close all open tabs on exit"</li>
<li>Select: "Open external links in incognito"</li>
</ul>
### Safari
!!! recommendation
@ -135,47 +149,56 @@ On iOS, any app that can browse the web is [restricted](https://developer.apple.
**Safari** is the default browser in iOS. It includes [privacy features](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) such as Intelligent Tracking Protection, Privacy Report, isolated Private Browsing tabs, iCloud Private Relay, and automatic HTTPS upgrades.
These options can be found in *Privacy and Security* (⚙️ Settings → Safari → Privacy and Security).
#### **Cross-Site Tracking Prevention**
Toggling this setting enables WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp).
<ul style="list-style-type:none;padding-left:0;">
<li>Toggle On: "Prevent Cross-Site Tracking".</li>
</ul>
#### **Privacy Report**
Privacy Report provides a snapshot of cross-site trackers currently prevented from profiling you on the website you're visiting. It can also display a weekly report to show which trackers have been blocked over time.
Privacy Report is accessible through the "**Aa**" icon in the URL bar.
#### **Privacy Preserving Ad Measurement**
This is WebKit's own [implementation](https://webkit.org/blog/8943/privacy-preserving-ad-click-attribution-for-the-web/) of privacy preserving ad click attribution. If you do not wish to participate, you can disable this feature.
<ul style="list-style-type:none;padding-left:0;">
<li>Toggle Off: "Privacy Preserving Ad Measurement".</li>
</ul>
#### **Apple Pay**
If you do not use Apple Pay, you can toggle off the ability for websites to check for it.
<ul style="list-style-type:none;padding-left:0;">
<li>Toggle Off: "Check for Apple Pay".</li>
</ul>
#### **Always-on Private Browsing**
Open Safari and press the tabs icon in the bottom right corner. Open Tab Groups, located in the bottom middle.
<ul style="list-style-type:none;padding-left:0;">
<li>Select: "Private".</li>
</ul>
#### iCloud Sync
While synchronization of Safari History, Tab Groups, and iCloud Tabs is end-to-end encrypted, bookmarks are [not](https://support.apple.com/en-us/HT202303); they are only encrypted in transit and stored in an encrypted format on Apple's servers. Apple may be able to decrypt and access them.
If you use iCloud, we also recommend checking to ensure Safari's default download location is set to locally on your device. This option can be found in *General* (⚙️ Settings → Safari → General → Downloads).
#### Extensions
We generally do not recommend installing [any extensions](https://www.sentinelone.com/blog/inside-safari-extensions-malware-golden-key-user-data/) as they increase your browser's [attack surface](https://en.wikipedia.org/wiki/Attack_surface); however, if you want content blocking, [AdGuard for Safari](/browsers/#additional-resources) might be useful to you.
[Visit apple.com](https://www.apple.com/safari/){ .md-button .md-button--primary } [Privacy Policy](https://www.apple.com/legal/privacy/data/en/safari/){ .md-button }
#### Recommended Configuration
These options can be found in *Privacy and Security* (⚙️ Settings → Safari → Privacy and Security).
**Cross-Site Tracking Prevention:**
Toggling this setting enables WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp).
<ul style="list-style-type:none;padding-left:0;">
<li>Toggle On: "Prevent Cross-Site Tracking".</li>
</ul>
**Privacy Report:**
Privacy Report provides a snapshot of cross-site trackers currently prevented from profiling you on the website you're visiting. It can also display a weekly report to show which trackers have been blocked over time.
Privacy Report is accessible through the "**Aa**" icon in the URL bar.
**Privacy Preserving Ad Measurement:**
This is WebKit's own [implementation](https://webkit.org/blog/8943/privacy-preserving-ad-click-attribution-for-the-web/) of privacy preserving ad click attribution. If you do not wish to participate, you can disable this feature.
<ul style="list-style-type:none;padding-left:0;">
<li>Toggle Off: "Privacy Preserving Ad Measurement".</li>
</ul>
**Apple Pay:**
If you do not use Apple Pay, you can toggle off the ability for websites to check for it.
<ul style="list-style-type:none;padding-left:0;">
<li>Toggle Off: "Check for Apple Pay".</li>
</ul>
**Always-on Private Browsing:**
Open Safari and press the tabs icon in the bottom right corner. Open Tab Groups, located in the bottom middle.
<ul style="list-style-type:none;padding-left:0;">
<li>Select: "Private".</li>
</ul>
#### iCloud Sync
While synchronization of Safari History, Tab Groups, and iCloud Tabs is end-to-end encrypted, bookmarks are [not](https://support.apple.com/en-us/HT202303); they are only encrypted in transit and stored in an encrypted format on Apple's servers. Apple may be able to decrypt and access them.
If you use iCloud, we also recommend checking to ensure Safari's default download location is set to locally on your device. This option can be found in *General* (⚙️ Settings → Safari → General → Downloads).
#### Extensions
We generally do not recommend installing [any extensions](https://www.sentinelone.com/blog/inside-safari-extensions-malware-golden-key-user-data/) as they increase your browser's [attack surface](https://en.wikipedia.org/wiki/Attack_surface); however, if you want content blocking, [AdGuard for Safari](/browsers/#additional-resources) might be useful to you.
## Additional Resources
### uBlock Origin
@ -188,12 +211,6 @@ On iOS, any app that can browse the web is [restricted](https://developer.apple.
We suggest enabling all of the [filter lists](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) under the "Ads," "Privacy," and "Malware domains". The "Annoyances" and "Multipurpose" lists can also be enabled, but they may break some social media functions. The *AdGuard URL Tracking Protection* filter list makes extensions like CleanURLs and NeatURLs redundant.
We also suggest adding the [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) list and any of the regional lists that might apply to your browsing habits. To add this list, first access settings by clicking on the uBO icon, then the settings icon (⚙️). Go to the bottom of the Filter lists pane and place a checkmark next to Import under the Custom section. Paste the URL of the filter list above into the text area that appears below and click "Apply changes".
Additional filter lists do slow things down and may increase your [attack surface](https://en.wikipedia.org/wiki/Attack_surface), so only apply what you need.
uBlock Origin also has different [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode). The easy mode [might not](https://www.ranum.com/security/computer_security/editorials/dumb/) necessarily keep you safe from every tracker out there, whereas the more advanced modes let you control exactly what needs to run.
[Visit github.com](https://github.com/gorhill/uBlock){ .md-button .md-button--primary }
**Downloads**
@ -203,17 +220,21 @@ On iOS, any app that can browse the web is [restricted](https://developer.apple.
- [:fontawesome-brands-opera: Opera](https://addons.opera.com/extensions/details/ublock)
- [:fontawesome-brands-github: Source](https://github.com/gorhill/uBlock)
We also suggest adding the [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) list and any of the regional lists that might apply to your browsing habits. To add this list, first access settings by clicking on the uBO icon, then the settings icon (⚙️). Go to the bottom of the Filter lists pane and place a checkmark next to Import under the Custom section. Paste the URL of the filter list above into the text area that appears below and click "Apply changes".
Additional filter lists do slow things down and may increase your [attack surface](https://en.wikipedia.org/wiki/Attack_surface), so only apply what you need.
uBlock Origin also has different [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode). The easy mode [might not](https://www.ranum.com/security/computer_security/editorials/dumb/) necessarily keep you safe from every tracker out there, whereas the more advanced modes let you control exactly what needs to run.
### AdGuard for Safari
!!! recommendation
![AdGuard logo](/assets/img/browsers/adguard.svg){ align=right }
**AdGuard for Safari** is a free and open-source content-blocking extension for Safari that uses the native [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). We suggest enabling the filters labled *#recommended* under the "Ad Blocking" and "Privacy" [content blockers](https://kb.adguard.com/en/safari/overview#content-blockers). The *#recommended* filters can also be enabled for the "Social Widgets" and "Annoyances" content blockers, but they may break some social media functions.
Additional filter lists do slow things down and may increase your [attack surface](https://en.wikipedia.org/wiki/Attack_surface), so only apply what you need.
There is also [AdGuard for iOS](https://adguard.com/en/adguard-ios/overview.html) which is able to perform system-wide content blocking by means of DNS filtering.
**AdGuard for Safari** is a free and open-source content-blocking extension for Safari that uses the native [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker).
We suggest enabling the filters labled *#recommended* under the "Ad Blocking" and "Privacy" [content blockers](https://kb.adguard.com/en/safari/overview#content-blockers). The *#recommended* filters can also be enabled for the "Social Widgets" and "Annoyances" content blockers, but they may break some social media functions.
[Visit adguard.com](https://adguard.com/en/adguard-safari/overview.html){ .md-button .md-button--primary } [Privacy Policy](https://adguard.com/en/privacy/safari.html){ .md-button }
@ -222,14 +243,20 @@ On iOS, any app that can browse the web is [restricted](https://developer.apple.
- [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/app/apple-store/id1047223162)
- [:fontawesome-brands-git: Source](https://github.com/AdguardTeam/AdGuardForSafari)
Additional filter lists do slow things down and may increase your [attack surface](https://en.wikipedia.org/wiki/Attack_surface), so only apply what you need.
There is also [AdGuard for iOS](https://adguard.com/en/adguard-ios/overview.html) which is able to perform system-wide content blocking by means of DNS filtering.
### Terms of Service; Didn't Read
!!! note
We do not recommend installing ToS;DR as a browser extension. The same information is provided on their website.
!!! recommendation
![Terms of Service; Didn't Read logo](/assets/img/browsers/terms_of_service_didnt_read.svg){ align=right }
**Terms of Service; Didn't Read** grades websites based on their terms of service agreements and privacy policies. It also gives short summaries of those agreements. The analyses and ratings are published transparently by a community of reviewers.
We do not recommend installing ToS;DR as a browser extension. The same information is provided on their website.
[Visit tosdr.org](https://tosdr.org){ .md-button .md-button--primary } [Privacy Policy](https://addons.mozilla.org/firefox/addon/terms-of-service-didnt-read/privacy){ .md-button }

24
docs/cloud.md
View File

@ -14,10 +14,6 @@ Trust your provider by using an alternative below that supports [end-to-end encr
**Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. It also comes with experimental end-to-end encryption (E2EE).
We recommend checking if your Nextcloud provider supports E2EE, otherwise you have to trust the provider to not look at your files.
When self hosting Nextcloud, you should also remember to enable E2EE to protect against your hosting provider from snooping on your data.
[Visit nextcloud.com](https://nextcloud.com){ .md-button .md-button--primary } [Privacy Policy](https://nextcloud.com/privacy){ .md-button }
**Downloads**
@ -32,6 +28,10 @@ Trust your provider by using an alternative below that supports [end-to-end encr
- [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/app/id1125420102)
- [:fontawesome-brands-github: Source](https://github.com/nextcloud)
We recommend checking if your Nextcloud provider supports E2EE, otherwise you have to trust the provider to not look at your files.
When self hosting Nextcloud, you should also remember to enable E2EE to protect against your hosting provider from snooping on your data.
### Proton Drive
!!! recommendation
@ -40,15 +40,15 @@ Trust your provider by using an alternative below that supports [end-to-end encr
**Proton Drive** is an end-to-end encrypted (E2EE) general file storage service by the popular encrypted email provider [ProtonMail](https://protonmail.com).
Proton Drive is currently in beta and only is only available through a web client.
When using a web client, you are placing trust in the server to send you proper JavaScript code to derive the decryption key and authentication token locally in your browser. A compromised server can send you malicious JavaScript code to steal your master password and decrypt your data. If this does not fit your [threat model](/threat-modeling/), consider using an alternative.
[Visit drive.protonmail.com](https://drive.protonmail.com){ .md-button .md-button--primary } [Privacy Policy](https://protonmail.com/privacy-policy){ .md-button }
**Downloads**
- [:fontawesome-brands-github: Source](https://github.com/ProtonMail/WebClients)
Proton Drive is currently in beta and only is only available through a web client.
When using a web client, you are placing trust in the server to send you proper JavaScript code to derive the decryption key and authentication token locally in your browser. A compromised server can send you malicious JavaScript code to steal your master password and decrypt your data. If this does not fit your [threat model](/threat-modeling/), consider using an alternative.
### Cryptee
!!! recommendation
@ -63,7 +63,11 @@ Trust your provider by using an alternative below that supports [end-to-end encr
**Downloads**
- [:fontawesome-brands-github: Source](https://github.com/cryptee/web-client)
### Tahoe-LAFS (Advanced)
### Tahoe-LAFS
!!! note
Due to the complexity of the system and the amount of nodes needed to set it up, Tahoe-LAFS is only recommended for seasoned system administrators.
!!! recommendation
@ -72,8 +76,6 @@ Trust your provider by using an alternative below that supports [end-to-end encr
**Tahoe-LAFS** is a free and open decentralized cloud storage system. It distributes your data across multiple servers. Even if some of the servers fail or are taken over by an attacker, the entire file store continues to function correctly, preserving your privacy and security. The servers used as storage pools do not have access to your data.
Due to the complexity of the system and the amount of nodes needed to set it up, Tahoe-LAFS is only recommended for seasoned system administrators.
[Visit tahoe-lafs.org](https://www.tahoe-lafs.org){ .md-button .md-button--primary }
**Downloads**

4
docs/dns.md
View File

@ -388,9 +388,9 @@ Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](/d
**dnscrypt-proxy** is a DNS proxy with support for [DNSCrypt](/dns/#dnscrypt), [DNS-over-HTTPS](/dns/#dns-over-https-doh), and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS).
!!! warning "The anonymized DNS feature does [**not**](/dns#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic."
[Visit github.com](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .md-button .md-button--primary } [Privacy Policy](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .md-button }
**Downloads**
- [:fontawesome-brands-github: Source](https://github.com/DNSCrypt/dnscrypt-proxy)
!!! warning "The anonymized DNS feature does [**not**](/dns#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic."

17
docs/email-clients.md
View File

@ -124,12 +124,6 @@ Our recommendation list contains email clients that support both [OpenPGP](/encr
**Canary Mail** is a paid email client designed to make end-to-end encryption seamless with security features such as a biometric app lock.
!!! attention
Canary Mail is closed source. We recommend it, due to the few choices there are for email clients on iOS that support [Pretty Good Privacy (PGP)](https://en.wikipedia.org/wiki/Pretty_Good_Privacy), end-to-end encryption (E2EE).
!!! note
Canary Mail only recently released a Windows and Android client we don't believe they are as stable as their iOS and Mac counterparts.
[Visit canarymail.io](https://canarymail.io){ .md-button .md-button--primary } [Privacy Policy](https://canarymail.io/privacy.html){ .md-button }
**Downloads**
@ -138,6 +132,12 @@ Our recommendation list contains email clients that support both [OpenPGP](/encr
- [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/app/id1236045954)
- [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android)
!!! attention
Canary Mail only recently released a Windows and Android client, we don't believe they are as stable as their iOS and Mac counterparts.
Canary Mail is closed source. We recommend it, due to the few choices there are for email clients on iOS that support [Pretty Good Privacy (PGP)](https://en.wikipedia.org/wiki/Pretty_Good_Privacy), end-to-end encryption (E2EE).
### Neomutt
!!! recommendation
@ -145,9 +145,8 @@ Our recommendation list contains email clients that support both [OpenPGP](/encr
![Neomutt logo](/assets/img/email-clients/mutt.svg){ align=right }
NeoMutt is an open-source command line mail reader (or MUA) for Linux and BSD. It's a fork of [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client)) with added features.
!!! info
Neomut is a text-based client that has a steep learning curve. It is however, very customizable.
Neomut is a text-based client that has a steep learning curve. It is however, very customizable.
[Visit neomutt.org](https://neomutt.org){ .md-button .md-button--primary }

131
docs/encryption.md
View File

@ -15,12 +15,7 @@ The options listed here are multi-platform and great for creating encrypted back
![VeraCrypt logo](/assets/img/encryption-software/veracrypt.svg#only-light){ align=right }
![VeraCrypt logo](/assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right }
**VeraCrypt** is a source-available freeware utility used for on-the-fly encryption. It can create a virtual encrypted disk within a file, encrypt a partition, or encrypt the entire storage device with pre-boot authentication. VeraCrypt is a fork of the discontinued TrueCrypt project. According to its developers, security improvements have been implemented and issues raised by the initial TrueCrypt code audit have been addressed.
Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits) and VeraCrypt has also been [audited seperately](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit).
!!! attention
When encrypting with VeraCrypt, the user has the option to select from different [hash functions](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). We suggest users **only** select [SHA-512](https://en.wikipedia.org/wiki/SHA-512) and should stick to the [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) block cipher.
**VeraCrypt** is a source-available freeware utility used for on-the-fly encryption. It can create a virtual encrypted disk within a file, encrypt a partition, or encrypt the entire storage device with pre-boot authentication.
[Visit veracrypt.fr](https://veracrypt.fr){ .md-button .md-button--primary }
@ -30,6 +25,12 @@ The options listed here are multi-platform and great for creating encrypted back
- [:fontawesome-brands-linux: Linux](https://www.veracrypt.fr/en/Downloads.html)
- [:fontawesome-brands-git: Source](https://www.veracrypt.fr/code)
VeraCrypt is a fork of the discontinued TrueCrypt project. According to its developers, security improvements have been implemented and issues raised by the initial TrueCrypt code audit have been addressed.
When encrypting with VeraCrypt, the user has the option to select from different [hash functions](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). We suggest users **only** select [SHA-512](https://en.wikipedia.org/wiki/SHA-512) and should stick to the [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) block cipher.
Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits) and VeraCrypt has also been [audited seperately](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit).
### Cryptomator
!!! recommendation
@ -38,8 +39,6 @@ The options listed here are multi-platform and great for creating encrypted back
**Cryptomator** makes it easy for you to upload files to the cloud in a virtual encrypted file system.
Some of the Cryptomator Crypto Libraries have been [audited](https://cryptomator.org/open-source/) by [Cure53](https://cryptomator.org/audits/2017-11-27%20crypto%20cure53.pdf). The scope of those libraries included [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) and [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). It did not include [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift) which is now used on iOS.
[Visit cryptomator.org](https://cryptomator.org){ .md-button .md-button--primary } [Privacy Policy](https://cryptomator.org/privacy){ .md-button }
**Downloads**
@ -52,6 +51,8 @@ The options listed here are multi-platform and great for creating encrypted back
- [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163)
- [:fontawesome-brands-github: Source](https://github.com/cryptomator)
Some of the Cryptomator Crypto Libraries have been [audited](https://cryptomator.org/open-source/) by [Cure53](https://cryptomator.org/audits/2017-11-27%20crypto%20cure53.pdf). The scope of those libraries included [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) and [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). It did not include [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift) which is now used on iOS.
### Picocrypt
!!! recommendation
@ -80,43 +81,43 @@ Modern operating systems include [disk encryption](https://en.wikipedia.org/wiki
**BitLocker** is the full volume encryption solution bundled with Microsoft Windows. The main reason we recommend it is because of its [use of TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft), a forensics company, has written about it in [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/).
!!! note
BitLocker is [only supported](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) on Pro, Enterprise, and Education editions of Windows. It can be enabled on Home editions provided that they meet the prerequisites.
[Visit microsoft.com](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .md-button .md-button--primary }
??? tip "Enabling BitLocker on Windows Home"
To enable BitLocker on "Home" editions of Windows, you must partitions formatted with formatted with a [GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table) and have a dedicated [TPM](https://en.wikipedia.org/wiki/Trusted_Platform_Module) (v1.2, 2.0+) module.
BitLocker is [only supported](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) on Pro, Enterprise, and Education editions of Windows. It can be enabled on Home editions provided that they meet the prerequisites.
1. Open Windows [PowerShell](https://en.wikipedia.org/wiki/PowerShell). Start "PowerShell"
??? example "Enabling BitLocker on Windows Home"
2. Check to see partition table format:
```
powershell Get-Disk 0 | findstr GPT && echo This is a GPT system disk!
```
To enable BitLocker on "Home" editions of Windows, you must partitions formatted with formatted with a [GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table) and have a dedicated [TPM](https://en.wikipedia.org/wiki/Trusted_Platform_Module) (v1.2, 2.0+) module.
3. Check TPM version. The value returned must be "3 True". The spec must be 1.2 or above.
```
powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm | findstr "IsActivated IsEnabled IsOwned SpecVersion"
```
1. Open Windows [PowerShell](https://en.wikipedia.org/wiki/PowerShell). Start "PowerShell"
4. Access Windows 10 "Advanced Startup Options". (Press "reboot" while holding shift button). *Troubleshoot > Advanced Options > Command Prompt*
5. Login with your account that has admin privileges and type this to start encryption:
```
manage-bde -on c: -used
```
6. Close the command prompt, and enter into PowerShell:
2. Check to see partition table format:
```
manage-bde c: -protectors -add -rp -tpm
manage-bde -protectors -enable c:
manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt
powershell Get-Disk 0 | findstr GPT && echo This is a GPT system disk!
```
3. Check TPM version. The value returned must be "3 True". The spec must be 1.2 or above.
```
powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm | findstr "IsActivated IsEnabled IsOwned SpecVersion"
```
4. Access Windows 10 "Advanced Startup Options". (Press "reboot" while holding shift button). *Troubleshoot > Advanced Options > Command Prompt*
5. Login with your account that has admin privileges and type this to start encryption:
```
manage-bde -on c: -used
```
6. Close the command prompt, and enter into PowerShell:
```
manage-bde c: -protectors -add -rp -tpm
manage-bde -protectors -enable c:
manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt
```
!!! warning
Backup `BitLocker-Recovery-Key.txt` on a separate storage device. Loss of this recovery code, may result in loss of data.
[Visit microsoft.com](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .md-button .md-button--primary }
### FileVault
!!! recommendation
@ -125,11 +126,10 @@ Modern operating systems include [disk encryption](https://en.wikipedia.org/wiki
**FileVault** is the on-the-fly volume encryption solution built into macOS. FileVault is recommended because it [leverages](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) hardware security capabilities present on an Apple silicon SoC or T2 Security Chip.
!!! note
We recommend storing a local recovery key in a secure place as opposed to utilizing iCloud FileVault recovery. As well, FileVault should be enabled **after** a complete macOS installation as more pseudorandom number generator ([PRNG](https://support.apple.com/guide/security/random-number-generation-seca0c73a75b/web)) [entropy](https://en.wikipedia.org/wiki/Entropy_(computing)) will be available.
[Visit support.apple.com](https://support.apple.com/en-us/HT204837){ .md-button .md-button--primary }
We recommend storing a local recovery key in a secure place as opposed to utilizing iCloud FileVault recovery. As well, FileVault should be enabled **after** a complete macOS installation as more pseudorandom number generator ([PRNG](https://support.apple.com/guide/security/random-number-generation-seca0c73a75b/web)) [entropy](https://en.wikipedia.org/wiki/Entropy_(computing)) will be available.
### Linux Unified Key Setup (LUKS)
!!! recommendation
@ -138,28 +138,30 @@ Modern operating systems include [disk encryption](https://en.wikipedia.org/wiki
**LUKS** is the default full disk encryption method for Linux. It can be used to encrypt full volumes, partitions, or create encrypted containers.
??? "Creating and opening encrypted containers"
```
dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress
sudo cryptsetup luksFormat /path-to-file
```
#### Opening encrypted containers
We recommend opening containers and volumes with `udisksctl` as this uses [Polkit](https://en.wikipedia.org/wiki/Polkit). Most file managers, such as those included with popular desktop environments, can unlock encrypted files. Tools like [udiskie](https://github.com/coldfix/udiskie) can run in the system tray and provide a helpful user interface.
```
udisksctl loop-setup -f /path-to-file
udisksctl unlock -b /dev/loop0
```
!!! Warning "Back up volume headers"
We recommend you always [back up your LUKS headers](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) in case of partial drive failure. This can be done with:
```
cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img
```
[Visit gitlab.com](https://gitlab.com/cryptsetup/cryptsetup){ .md-button .md-button--primary }
??? example "Creating and opening encrypted containers"
```
dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress
sudo cryptsetup luksFormat /path-to-file
```
#### Opening encrypted containers
We recommend opening containers and volumes with `udisksctl` as this uses [Polkit](https://en.wikipedia.org/wiki/Polkit). Most file managers, such as those included with popular desktop environments, can unlock encrypted files. Tools like [udiskie](https://github.com/coldfix/udiskie) can run in the system tray and provide a helpful user interface.
```
udisksctl loop-setup -f /path-to-file
udisksctl unlock -b /dev/loop0
```
!!! Warning "Remember to back up volume headers"
We recommend you always [back up your LUKS headers](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) in case of partial drive failure. This can be done with:
```
cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img
```
## Browser-based
Browser-based encryption can be useful when you need to encrypt a file but cannot install software or apps on your device.
@ -215,11 +217,11 @@ Tools with command-line interfaces are useful for intergrating [shell scripts](h
[OpenPGP](https://en.wikipedia.org/wiki/Pretty_Good_Privacy#OpenPGP) is sometimes needed for specific tasks such as digitally signing and encrypting email. PGP has many features and is [complex](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) as it has been around a long time. For tasks such as signing or encrypting files, we suggest the above options.
!!! attention
When encrypting with PGP, the user has the option to configure different options in their `gpg.conf` file. We recommend staying with the standard options specified in the [GnuPG user FAQ](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf).
When encrypting with PGP, the user has the option to configure different options in their `gpg.conf` file. We recommend staying with the standard options specified in the [GnuPG user FAQ](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf).
??? tip "Future default"
When [generating keys](https://www.gnupg.org/gph/en/manual/c14.html) we suggest using the `future-default` command as this will instruct GnuPG use modern cryptography such as [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) and [Ed25519](https://ed25519.cr.yp.to/).
??? tip "Use future defaults when generating a key"
When [generating keys](https://www.gnupg.org/gph/en/manual/c14.html) we suggest using the `future-default` command as this will instruct GnuPG use modern cryptography such as [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) and [Ed25519](https://ed25519.cr.yp.to/):
```bash
gpg --quick-gen-key alice@example.com future-default
@ -266,15 +268,16 @@ Tools with command-line interfaces are useful for intergrating [shell scripts](h
We recommend taking a look at their [First steps](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email) and [Knowledge base](https://gpgtools.tenderapp.com/kb) for support.
!!! note
On iOS devices we suggest [Canary Mail](/email-clients/#canary-mail).
[Visit gpgtools.org](https://gpgtools.org){ .md-button .md-button--primary } [Privacy Policy](https://gpgtools.org/privacy){ .md-button }
**Downloads**
- [:fontawesome-brands-apple: macOS](https://gpgtools.org)
- [:fontawesome-brands-git: Source](https://github.com/GPGTools)
!!! note
We suggest [Canary Mail](/email-clients/#canary-mail) for using PGP with email on iOS devices.
### OpenKeychain
!!! recommendation

7
docs/file-sharing.md
View File

@ -46,9 +46,6 @@ Discover how to privately share your files between your devices, with your frien
**Croc** is a way to easily and securely send arbitrary-sized files from one computer to another. Similar to Magic Wormhole but without dependencies, resulting in a smaller application.
!!! Warning
The default encryption curve SIEC is fairly unknown and has not been tested thoroughly. We recommend using the `--curve` [option](https://github.com/schollz/croc/blob/master/README.md#change-encryption-curve) to switch to a more widely known curve such as the p521 curve.
[Visit schollz.com](https://schollz.com/blog/croc6){ .md-button .md-button--primary }
**Downloads**
@ -57,6 +54,10 @@ Discover how to privately share your files between your devices, with your frien
- [:fontawesome-brands-linux: Linux](https://github.com/schollz/croc/releases)
- [:fontawesome-brands-github: Source](https://github.com/schollz/croc)
!!! Warning
The default encryption curve SIEC is fairly unknown and has not been tested thoroughly. We recommend using the `--curve` [option](https://github.com/schollz/croc/blob/master/README.md#change-encryption-curve) to switch to a more widely known curve such as the p521 curve.
## FreedomBox
!!! recommendation

25
docs/metadata-removal-tools.md
View File

@ -60,15 +60,16 @@ When sharing files, be sure to remove associated metadata. Image files commonly
### Imagepipe
!!! info
Imagepipe is only available from F-Droid and not in Google Play. If you're looking for a paint app in Google Play we suggest [Pocket Paint](https://play.google.com/store/apps/details?id=org.catrobat.paintroid).
!!! recommendation
![Imagepipe logo](/assets/img/metadata-removal/imagepipe.svg){ align=right }
**Imagepipe** is a a paint app for Android that can be used to redact photos and also delete [EXIF](https://en.wikipedia.org/wiki/Exif) metadata. It has been translated into [many](https://codeberg.org/Starfish/Imagepipe#translations) languages.
!!! info
Imagepipe is only available from F-Droid and not in Google Play. If you're looking for a paint app in Google Play we suggest [Pocket Paint](https://play.google.com/store/apps/details?id=org.catrobat.paintroid).
[Visit codeberg.org](https://codeberg.org/Starfish/Imagepipe){ .md-button .md-button--primary }
**Downloads**
@ -77,15 +78,16 @@ When sharing files, be sure to remove associated metadata. Image files commonly
### Metapho
!!! attention
Metapho is closed source. We recommend it, due to the few choices there are for iOS devices.
!!! recommendation
![Metapho logo](/assets/img/metadata-removal/metapho.jpg){ align=right }
Metapho is a simple and clean viewer for photo metadata such as date, file name, size, camera model, shutter speed, and location.
!!! attention
Metapho is closed source. We recommend it, due to the few choices there are for iOS devices.
[Visit zininworks.com)](https://zininworks.com/metapho){ .md-button .md-button--primary } [Privacy Policy](https://zininworks.com/privacy/){ .md-button }
**Downloads**
@ -103,11 +105,6 @@ When sharing files, be sure to remove associated metadata. Image files commonly
It's often a component of other EXIF removal applications and is in most Linux distribution repositories.
To delete data from a directory of files:
```
exiftool -all= *.file_extension
```
[Visit exiftool.org](https://exiftool.org){ .md-button .md-button--primary }
**Downloads**
@ -116,3 +113,9 @@ When sharing files, be sure to remove associated metadata. Image files commonly
- [:fontawesome-brands-linux: Linux](https://exiftool.org)
- [:fontawesome-brands-git: Source](https://sourceforge.net/projects/exiftool)
- [:fontawesome-brands-github: Source](https://github.com/exiftool/exiftool)
To delete data from a directory of files:
```bash
exiftool -all= *.file_extension
```

17
docs/passwords.md
View File

@ -4,11 +4,11 @@ icon: material/form-textbox-password
---
Stay safe and secure online with an encrypted and open-source password manager.
## Password best practices
## Password Best Practices
- Always use unique passwords. Don't make yourself a victim of "[credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing)".
- Store an exported backup of your passwords in an [encrypted container](/file-encryption) on another storage device. This can be useful if something happens to your device or the service you are using.
- If possible store [Time-based one-time password (TOTP)](https://en.wikipedia.org/wiki/Time-based_one-time_password) tokens in a separate [TOTP app](/multi-factor-authentication) and not your password manager. TOTP codes are generated from a "[shared secret](https://en.wikipedia.org/wiki/Time-based_one-time_password#Security)". If the secret is obtained by an adversary they can generate TOTP values. Typically, mobile platforms have better app isolation and more secure methods for storing sensitive credentials.
- If possible, store [Time-based one-time password (TOTP)](https://en.wikipedia.org/wiki/Time-based_one-time_password) tokens in a separate [TOTP app](/multi-factor-authentication) and not your password manager. TOTP codes are generated from a "[shared secret](https://en.wikipedia.org/wiki/Time-based_one-time_password#Security)". If the secret is obtained by an adversary they can generate TOTP values. Typically, mobile platforms have better app isolation and more secure methods for storing sensitive credentials.
## Local Password Managers
@ -22,9 +22,6 @@ These password managers store the password database locally.
**KeePassXC** is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, fully cross-platform and modern open-source password manager.
!!! warning
KeepassXC stores its export data as [comma-separated values (CSV)](https://en.wikipedia.org/wiki/Comma-separated_values). This may mean data loss if you import this file into another password manager. We advise you check each record manually.
[Visit keepassxc.org](https://keepassxc.org){ .md-button .md-button--primary } [Privacy Policy](https://keepassxc.org/privacy){ .md-button }
**Downloads**
@ -36,6 +33,10 @@ These password managers store the password database locally.
- [:fontawesome-brands-chrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk)
- [:fontawesome-brands-github: Source](https://github.com/keepassxreboot/keepassxc)
!!! warning
KeepassXC stores its export data as [comma-separated values (CSV)](https://en.wikipedia.org/wiki/Comma-separated_values). This may mean data loss if you import this file into another password manager. We advise you check each record manually.
### KeepassDX
!!! recommendation
@ -53,7 +54,7 @@ These password managers store the password database locally.
- [:pg-f-droid: F-Droid](https://www.f-droid.org/packages/com.kunzisoft.keepass.libre)
- [:fontawesome-brands-github: Source](https://github.com/Kunzisoft/KeePassDX)
## Cloud syncing Password Managers
## Cloud Syncing Password Managers
These password managers sync up to a cloud server that may be self-hostable.
@ -98,7 +99,7 @@ These password managers sync up to a cloud server that may be self-hostable.
- [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/psono/psono-client)
- [:fontawesome-brands-github: Source](https://gitlab.com/psono)
## Password management servers
## Password Management Servers
These products are self-hostable synchronization for cloud based password managers.
@ -125,7 +126,7 @@ These products are self-hostable synchronization for cloud based password manage
Psono provides [extensive documentation](https://doc.psono.com/) for their product. The [web-client](https://doc.psono.com/admin/installation/install-webclient.html#installation-with-docker) for Psono can be self hosted; alternatively, you can choose the the full [Community Edition](https://doc.psono.com/admin/installation/install-server-ce.html) or the [Enterprise Edition](https://doc.psono.com/admin/installation/install-server-ee.html) with additional features.
[Visit gitlab.com](https://gitlab.com/psono/psono-server) { .md-button .md-button--primary } [Privacy Policy](https://psono.com/privacy-policy){ .md-button }
[Visit gitlab.com](https://gitlab.com/psono/psono-server){ .md-button .md-button--primary } [Privacy Policy](https://psono.com/privacy-policy){ .md-button }
**Downloads**
- [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/psono/psono-server)

4
docs/productivity.md
View File

@ -70,13 +70,15 @@ Get working and collaborating without sharing your documents with a middleman or
![PrivateBin logo](/assets/img/productivity/privatebin.svg){ align=right }
**PrivateBin** is a minimalist, open-source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256-bit AES. It is the improved version of ZeroBin. Do note that it uses JavaScript to handle encryption, so you must trust the provider to the extent that they do not inject any malicious JavaScript to get your private key. Consider self-hosting to mitigate this threat.
**PrivateBin** is a minimalist, open-source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256-bit AES. It is the improved version of ZeroBin.
[Visit privatebin.info](https://privatebin.info){ .md-button .md-button--primary }
**Downloads**
- [:fontawesome-brands-github: Source](https://github.com/PrivateBin/PrivateBin)
Do note that PrivateBin uses JavaScript to handle encryption, so you must trust the provider to the extent that they do not inject any malicious JavaScript to get your private key. Consider self-hosting to mitigate this threat.
### CryptPad
!!! recommendation

6
docs/router.md
View File

@ -6,6 +6,9 @@ Below are a few alternative operating systems, that can be used on routers, Wi-F
### OpenWrt
!!! note
Consult the [Table of Hardware](https://openwrt.org/toh/start) to check if your device is supported.
!!! recommendation
![OpenWrt logo](/assets/img/router/openwrt.svg#only-light){ align=right }
@ -13,9 +16,6 @@ Below are a few alternative operating systems, that can be used on routers, Wi-F
**OpenWrt** is an operating system (in particular, an embedded operating system) based on the Linux kernel, primarily used on embedded devices to route network traffic. The main components are the Linux kernel, util-linux, uClibc, and BusyBox. All components have been optimized for size, to be small enough for fitting into the limited storage and memory available in home routers.
!!! note
Consult the [Table of Hardware](https://openwrt.org/toh/start) to check if your device is supported.
[Visit openwrt.org](https://openwrt.org){ .md-button .md-button--primary }
**Downloads**

28
docs/search-engines.md
View File

@ -16,14 +16,15 @@ Consider using a [VPN](/providers/vpn) or [Tor](https://www.torproject.org/) if
**DuckDuckGo** is a popular search engine and is the default for the Tor Browser.
DuckDuckGo has a [lite](https://duckduckgo.com/lite) and [html](https://duckduckgo.com/html) only version, both of which [do not require JavaScript](https://help.duckduckgo.com/features/non-javascript) and can be used with their [Tor onion address](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion) (append [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) or [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) for the respective version).
DuckDuckGo uses a commercial Bing API and various [other sources](https://help.duckduckgo.com/results/sources) to provide its search data.
[Visit duckduckgo.com](https://duckduckgo.com){ .md-button .md-button--primary } [:pg-tor:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .md-button } [Privacy Policy](https://duckduckgo.com/privacy){ .md-button }
!!! note
The company is based in the 🇺🇸 US. Their [Privacy Policy](https://duckduckgo.com/privacy) states they do log your search query, but not your IP or any other identifying information.
!!! note
DuckDuckGo is based in the 🇺🇸 US. Their [Privacy Policy](https://duckduckgo.com/privacy) states they do log your search query, but not your IP or any other identifying information.
DuckDuckGo has a [lite](https://duckduckgo.com/lite) and [html](https://duckduckgo.com/html) only version, both of which [do not require JavaScript](https://help.duckduckgo.com/features/non-javascript) and can be used with their [Tor onion address](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion) (append [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) or [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) for the respective version).
### Startpage
@ -35,10 +36,11 @@ Consider using a [VPN](/providers/vpn) or [Tor](https://www.torproject.org/) if
[Visit startpage.com](https://www.startpage.com){ .md-button .md-button--primary } [Privacy Policy](https://www.startpage.com/en/privacy-policy){ .md-button }
!!! note
Startpage is based in the 🇳🇱 Netherlands. According to their [Privacy Policy](https://www.startpage.com/en/privacy-policy/), they only log details such as: operating system, type of browser and language. They do not log your IP address, search queries or other identifying information. Startpage proxies Google Search so Google does have access to your search queries.
!!! note
Startpage's majority shareholder is System1 who is an adtech company. We don't think that is an issue as they have their own Privacy Policy. The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) for clarification and was satisfied by the answers we received.
Startpage is based in the 🇳🇱 Netherlands. According to their [Privacy Policy](https://www.startpage.com/en/privacy-policy/), they only log details such as: operating system, type of browser and language. They do not log your IP address, search queries or other identifying information. Startpage proxies Google Search so Google does have access to your search queries.
Startpage's majority shareholder is System1 who is an adtech company. We don't think that is an issue as they have their own Privacy Policy. The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) for clarification and was satisfied by the answers we received.
### Mojeek
@ -50,8 +52,9 @@ Consider using a [VPN](/providers/vpn) or [Tor](https://www.torproject.org/) if
[Visit mojeek.com](https://www.mojeek.com){ .md-button .md-button--primary } [Privacy Policy](https://www.mojeek.com/about/privacy){ .md-button }
!!! note
The company is based in the 🇬🇧 UK. According to their [Privacy Policy](https://www.mojeek.com/about/privacy/), they log the originating country, time, page requested, and referral data of each query. IP addresses are not logged.
!!! note
The company is based in the 🇬🇧 UK. According to their [Privacy Policy](https://www.mojeek.com/about/privacy/), they log the originating country, time, page requested, and referral data of each query. IP addresses are not logged.
### Searx
@ -63,9 +66,8 @@ Consider using a [VPN](/providers/vpn) or [Tor](https://www.torproject.org/) if
[Visit searx.me](https://searx.me){ .md-button .md-button--primary } [:pg-tor:](http://searxspbitokayvkhzhsnljde7rqmn7rvoga6e4waeub3h7ug3nghoad.onion){ .md-button }
!!! note
Searx is a proxy between the user and the search engines it aggregates from. Your search queries will still be sent to the search engines that Searx gets its results from.
Searx is a proxy between the user and the search engines it aggregates from. Your search queries will still be sent to the search engines that Searx gets its results from.
When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Searx, as other people looking up illegal content on your instance could draw unwanted attention from authorities.
When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Searx, as other people looking up illegal content on your instance could draw unwanted attention from authorities.
When you are using a Searx instance, be sure to go read the Privacy Policy of that specific instance. Searx instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII (Personally Identifiable Information).
When you are using a Searx instance, be sure to go read the Privacy Policy of that specific instance. Searx instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII (Personally Identifiable Information).

86
docs/video-streaming.md
View File

@ -8,6 +8,10 @@ The primary threat when using a video streaming platform is that your streaming
### FreeTube
!!! Warning
When using Freetube, your IP address is still known to YouTube, [Invidious](https://instances.invidious.io) and the SponsorBlock instances that you use. Consider using a [VPN](/providers/vpn) or [Tor](https://www.torproject.org) if your [threat model](/threat-modeling.md) requires hiding your IP address.
!!! recommendation
![FreeTube logo](/assets/img/video-streaming/freetube.svg){ align=right }
@ -16,9 +20,6 @@ The primary threat when using a video streaming platform is that your streaming
FreeTube also features [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored advertisements. All YouTube advertisements are also blocked by default.
!!! Warning
When using Freetube, your IP address is still known to YouTube, [Invidious](https://instances.invidious.io) and the SponsorBlock instances that you use. Consider using a [VPN](/providers/vpn) or [Tor](https://www.torproject.org) if your [threat model](/threat-modeling) requires hiding your IP address.
[Visit freetubeapp.io](https://freetubeapp.io){ .md-button .md-button--primary } [Privacy Policy](https://freetubeapp.io/privacy.php){ .md-button }
**Downloads**
@ -30,6 +31,10 @@ The primary threat when using a video streaming platform is that your streaming
### LBRY
!!! note
Only the **LBRY desktop client** is recommended. The [Odysee](https://odysee.com) website and the LBRY clients in F-Droid, Play Store, and the AppStore have mandatory synchronization and telemetry.
!!! recommendation
![LBRY logo](/assets/img/video-streaming/lbry.svg){ align=right }
@ -38,18 +43,6 @@ The primary threat when using a video streaming platform is that your streaming
**The LBRY desktop client** helps you stream videos from the LBRY network and stores your subscription list in your own LBRY wallet.
!!! Warning
We recommend **against** synchronizing your wallet with LBRY Inc., as synchronizing encrypted wallets is not supported yet. If you synchronize your wallet with LBRY Inc., you have to trust them to not look at your subscription list, [LBC](https://lbry.com/faq/earn-credits) funds, or take control of your channel.
!!! Warning
Only the **LBRY desktop client** is recommended. The [Odysee](https://odysee.com) website and the LBRY clients in F-Droid, Play Store, and the AppStore have mandatory synchronization and telemetry.
!!! Warning
While watching and hosting videos, your IP address is visible to the LBRY network. Consider using a [VPN](/providers/vpn) or [Tor](https://www.torproject.org) if your [threat model](/threat-modeling) requires hiding your IP address.
!!! Tip
You can disable *Save hosting data to help the LBRY network* option (⚙️ Settings → Advanced Settings) to avoid exposing your IP address and watched videos when using LBRY for a prolonged period of time.
[Visit lbry.com](https://lbry.com){ .md-button .md-button--primary } [Privacy Policy](https://lbry.com/privacypolicy){ .md-button }
**Downloads**
@ -58,6 +51,14 @@ The primary threat when using a video streaming platform is that your streaming
- [:fontawesome-brands-linux: Linux](https://lbry.com/linux)
- [:fontawesome-brands-github: Source](https://github.com/lbryio)
!!! warning
While watching and hosting videos, your IP address is visible to the LBRY network. Consider using a [VPN](/providers/vpn) or [Tor](https://www.torproject.org) if your [threat model](/threat-modeling) requires hiding your IP address.
We recommend **against** synchronizing your wallet with LBRY Inc., as synchronizing encrypted wallets is not supported yet. If you synchronize your wallet with LBRY Inc., you have to trust them to not look at your subscription list, [LBC](https://lbry.com/faq/earn-credits) funds, or take control of your channel.
You can disable *Save hosting data to help the LBRY network* option (⚙️ Settings → Advanced Settings) to avoid exposing your IP address and watched videos when using LBRY for a prolonged period of time.
### NewPipe
!!! recommendation
@ -66,8 +67,6 @@ The primary threat when using a video streaming platform is that your streaming
**NewPipe** is a free and open source Android application for [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [FramaTube](https://framatube.org), and [Bandcamp](https://bandcamp.com).
!!! note
NewPipe is available on the main [F-Droid](https://www.f-droid.org)'s repository. We recommend that you use the NewPipe's own [F-Droid repository](https://newpipe.net/FAQ/tutorials/install-add-fdroid-repo) instead to get faster updates.
Your subscription list and playlists are saved locally on your Android device.
[Visit newpipe.net](https://newpipe.net){ .md-button .md-button--primary } [Privacy Policy](https://newpipe.net/legal/privacy){ .md-button }
@ -76,6 +75,10 @@ The primary threat when using a video streaming platform is that your streaming
- [:fontawesome-brands-android: F-Droid repo](https://newpipe.net/FAQ/tutorials/install-add-fdroid-repo)
- [:fontawesome-brands-github: Source](https://github.com/TeamNewPipe/NewPipe)
!!! note
NewPipe is available on the main [F-Droid](https://www.f-droid.org)'s repository. We recommend that you use NewPipe's own [F-Droid repository](https://newpipe.net/FAQ/tutorials/install-add-fdroid-repo) instead to get faster updates.
### NewPipe x SponsorBlock
!!! recommendation
@ -85,19 +88,22 @@ The primary threat when using a video streaming platform is that your streaming
**NewPipe x SponsorBlock** is a fork of [NewPipe](https://newpipe.net) with [SponsorBlock](https://sponsor.ajay.app) integrated to help you skip sponsored advertisements.
It also has some experimental settings such as the ability to use the built-in player for local playback, an option to force fullscreen on landscape mode, and an option to disable error reporting prompts.
!!! note
This fork is not endorsed by or affiliated with the upstream project. The NewPipe team has [rejected](https://github.com/TeamNewPipe/NewPipe/pull/3205) integration with SponsorBlock and thus this fork is created to provide this functionality.
[Visit github.com](https://github.com/polymorphicshade/NewPipe){ .md-button .md-button--primary }
**Downloads**
- [:fontawesome-brands-android: F-Droid repo](https://apt.izzysoft.de/fdroid/index/apk/org.polymorphicshade.newpipe)
- [:fontawesome-brands-github: Source](https://github.com/polymorphicshade/NewPipe)
This fork is not endorsed by or affiliated with the upstream project. The NewPipe team has [rejected](https://github.com/TeamNewPipe/NewPipe/pull/3205) integration with SponsorBlock and thus this fork is created to provide this functionality.
## Web-based Frontends
### Invidious
!!! warning
Invidious does not proxy the video stream through its server by default. Videos watched through Invidious will still make direct connections to Google's servers (googlevideo.com); however, some instances support video proxying. This can be enabled by adding `&local=true` to the URL.
!!! recommendation
![Invidious logo](/assets/img/video-streaming/invidious.svg#only-light){ align=right }
@ -105,24 +111,20 @@ The primary threat when using a video streaming platform is that your streaming
**Invidious** is a free and open source front end for YouTube that is also self-hostable. There are list of [public instances](https://instances.invidious.io). Some instances have [Tor](https://www.torproject.org) onion services support.
!!! tip
Invidious is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security setting. It does not provide privacy by itself and we dont recommend logging into any accounts.
!!! warning
Invidious does not proxy the video stream through its server by default. Videos watched through Invidious will still make direct connections to Google's servers (googlevideo.com); however, some instances support video proxying. This can be enabled by adding `&local=true` to the URL.
!!! warning
When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Invidious, as other peoples' usage will be linked to your hosting.
!!! note
When you are using an Invidious instance, be sure to go read the Privacy Policy of that specific instance. Invidious instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII (Personally Identifiable Information).
[Visit invidious.io](https://invidious.io){ .md-button .md-button--primary } [Privacy Policy](){ .md-button }
**Downloads**
- [:fontawesome-solid-earth-americas: Instances](https://instances.invidious.io)
- [:fontawesome-brands-github: Source](https://github.com/iv-org/invidious)
!!! tip
Invidious is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security setting. It does not provide privacy by itself and we dont recommend logging into any accounts.
When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Invidious, as other peoples' usage will be linked to your hosting.
When you are using an Invidious instance, be sure to go read the Privacy Policy of that specific instance. Invidious instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII (Personally Identifiable Information).
### Piped
!!! recommendation
@ -131,19 +133,17 @@ The primary threat when using a video streaming platform is that your streaming
**Piped** is a free and open source front end for YouTube that is also self-hostable. Alternative instances can be selected from "Preferences".
!!! tip
Piped is useful if you want to use [SponsorBlock](https://sponsor.ajay.app) without installing an extension or to access age-restricted content without an account. It does not provide privacy by itself and we dont recommend logging into any accounts.
!!! warning
When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Piped, as other peoples' usage will be linked to your hosting.
!!! warning
When you are using a Piped instance, be sure to go read the Privacy Policy of that specific instance. Piped instances can be modified by their owners and therefore may not reflect their associated privacy policy.
!!! warning
Piped requires javascript in order to function.
Piped requires JavaScript in order to function.
[Visit piped.kavin.rocks](https://piped.kavin.rocks/){ .md-button .md-button--primary }
**Downloads**
- [:fontawesome-brands-github: Source](https://github.com/TeamPiped/Piped)
!!! tip
Piped is useful if you want to use [SponsorBlock](https://sponsor.ajay.app) without installing an extension or to access age-restricted content without an account. It does not provide privacy by itself and we dont recommend logging into any accounts.
When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Piped, as other peoples' usage will be linked to your hosting.
When you are using a Piped instance, be sure to go read the Privacy Policy of that specific instance. Piped instances can be modified by their owners and therefore may not reflect their associated privacy policy.