Fix broken links (#1387)

Co-authored-by: Jonah Aragon <github@aragon.science>

.github/workflows/deploy.yml

@@ -29,7 +29,7 @@ jobs:
           python-version: '3.7'
       
       - name: Cache files
-        uses: actions/cache@v3.0.2
+        uses: actions/cache@v3.0.3
         with:
           key: ${{ github.ref }}
           path: .cache

.gitmodules

@@ -4,3 +4,6 @@
 [submodule "docs/assets/brand"]
 	path = docs/assets/brand
 	url = https://github.com/privacyguides/brand.git
+[submodule "docs/blog"]
+	path = docs/blog
+	url = https://github.com/privacyguides/blog.git

Pipfile

@@ -10,6 +10,7 @@ mkdocs-static-i18n = "*"
 mkdocs-git-revision-date-localized-plugin = "*"
 typing-extensions = "*"
 mkdocs-minify-plugin = "*"
+mkdocs-rss-plugin = "*"
 
 [dev-packages]
 scour = "*"

Pipfile.lock

@@ -1,7 +1,7 @@
 {
     "_meta": {
         "hash": {
-            "sha256": "76ed583036efde0ea1b0725942175f9c77c8a04f218b4822cc8dcc0f8174e2f4"
+            "sha256": "ce0d93277762e5052d095796291285ed1ff44183570f08ebfa71b76619eee48e"
         },
         "pipfile-spec": 6,
         "requires": {
@@ -182,7 +182,7 @@
                 "sha256:5d26852efe48c0a32b0509ffbc583fda1a2266545a78d104a6f4aff3db17d700",
                 "sha256:c58c8eb8a762858f49e18436ff552e83914778e50e9d2f1660535ffb364552ec"
             ],
-            "markers": "python_version >= '3.7'",
+            "markers": "python_version < '3.10'",
             "version": "==4.11.4"
         },
         "jinja2": {
@@ -364,6 +364,14 @@
             "index": "pypi",
             "version": "==0.5.0"
         },
+        "mkdocs-rss-plugin": {
+            "hashes": [
+                "sha256:50671e2030188da4bc01ff421d979903a01cd87b02e2ec5f430fd05d5ed55825",
+                "sha256:536efc35c2f62ea1eac4bae23532e07f0a19b9044291a12960f47be7d3aaf99e"
+            ],
+            "index": "pypi",
+            "version": "==1.1.0"
+        },
         "mkdocs-static-i18n": {
             "hashes": [
                 "sha256:5d69b4eb284931bd048a36f923367f2a7bd0dc7b0438008dce8ca1a8feee99e2"

docs/about/notices.en.md

@@ -20,7 +20,7 @@ Unless otherwise noted, all content on this website is made freely available und
 
 This does not include third-party code embedded in this repository, or code where a superseding license is otherwise noted. The following are notable examples, but this list may not be all-inclusive:
 
-* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/docs/javascripts/mathjax.js) is licensed under the [Apache License 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/javascripts/LICENSE.mathjax.txt).
+* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/mathjax.js) is licensed under the [Apache License 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/LICENSE.mathjax.txt).
 
 Portions of this notice itself were adopted from [opensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) on GitHub. That resource and this page itself are released under [CC-BY-4.0](https://github.com/github/opensource.guide/blob/master/LICENSE).
 

docs/android.en.md

@@ -51,9 +51,9 @@ Google Pixel phones are the only devices that currently meet GrapheneOS's [hardw
     [:octicons-code-16:](https://github.com/CalyxOS){ .card-link title="Source Code" }
     [:octicons-heart-16:](https://members.calyxinstitute.org/donate){ .card-link title=Contribute }
 
-For people who need Google Play Services, CalyxOS optionally includes [microG](https://microg.org/). CalyxOS also includes alternate location services, [Mozilla](https://location.services.mozilla.com/) and [DejaVu](https://github.com/n76/DejaVu).
+CalyxOS optionally includes [microG](https://microg.org/), a partially open source reimplementation of Play Services which provides broader app compatibility. It also bundles in alternate location services: [Mozilla](https://location.services.mozilla.com/) and [DejaVu](https://github.com/n76/DejaVu).
 
-CalyxOS only [supports](https://calyxos.org/docs/guide/device-support/) Google Pixel phones. However, support for the OnePlus 8T/9 and Fairphone 4 is [currently in beta](https://calyxos.org/news/2022/04/01/fairphone4-oneplus8t-oneplus9-test-builds/).
+CalyxOS [supports](https://calyxos.org/docs/guide/device-support/) Google Pixel phones, the OnePlus 8T/9 and the Fairphone 4. We only recommend CalyxOS as a harm reduction measure for the OnePlus 8T, OnePlus 9, and especially the Fairphone 4.
 
 ### DivestOS
 
@@ -85,6 +85,8 @@ DivestOS implements some system hardening patches originally developed for Graph
 
 ## Android Devices
 
+When purchasing a device, we recommend getting one as new as possible. The software and firmware of mobile devices are only supported for a limited time, so buying new extends that lifespan as much as possible.
+
 Avoid buying phones from mobile network operators. These often have a **locked bootloader** and do not support [OEM unlocking](https://source.android.com/devices/bootloader/locking_unlocking). These phone variants will prevent you from installing any kind of alternative Android distribution.
 
 Be very **careful** about buying second hand phones from online marketplaces. Always check the reputation of the seller. If the device is stolen there's a possibility of [IMEI blacklisting](https://www.gsma.com/security/resources/imei-blacklisting/). There is also a risk involved with you being associated with the activity of the previous owner.
@@ -97,6 +99,8 @@ A few more tips regarding Android devices and operating system compatibility:
 
 ### Google Pixel
 
+Google Pixel phones are the **only** devices we recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third party operating systems and Google's custom [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) security chips acting as the Secure Element.
+
 !!! recommendation
 
     ![Google Pixel 6](assets/img/android/google-pixel.png){ align=right }
@@ -107,7 +111,9 @@ A few more tips regarding Android devices and operating system compatibility:
 
     [:material-shopping: Store](https://store.google.com/category/phones){ .md-button .md-button--primary }
 
-Unless you have a need for specific [CalyxOS features](https://calyxos.org/features/) that are unavailable on GrapheneOS, we strongly recommend GrapheneOS over other operating system choices on Pixel devices.
+Secure Elements like the Titan M2 are more limited than the processor's Trusted Execution Environment used by most other phones as they are only used for secrets storage, hardware attestation, and rate limiting, not for running "trusted" programs. Phones without a Secure Element have to use the TEE for *all* of those functions, resulting in a larger attack surface.
+
+Google Pixel phones use a TEE OS called Trusty which is [open source](https://source.android.com/security/trusty#whyTrusty), unlike many other phones.
 
 The installation of GrapheneOS on a Pixel phone is easy with their [web installer](https://grapheneos.org/install/web). If you don't feel comfortable doing it yourself and are willing to spend a bit of extra money, check out the [NitroPhone](https://shop.nitrokey.com/shop) as they come preloaded with GrapheneOS from the reputable [Nitrokey](https://www.nitrokey.com/about) company.
 
@@ -120,15 +126,7 @@ A few more tips for purchasing a Google Pixel:
 
 ### Other Devices
 
-!!! important
-
-    Google Pixel phones are the **only** devices we recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third party operating systems and Google's custom [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) security chips acting as the Secure Element.
-
-    Secure Elements are more limited than the processor's Trusted Execution Environment used by most other phones as they are only used for secrets storage, hardware attestation and rate limiting but not running "trusted" programs. Phones without a Secure Element have to use the TEE for secrets storage, rate limiting, *and* trusted computing, which results in a larger attack surface.
-
-    The following OEMs are only mentioned as they have phones compatible with the operating systems recommended by us. If you are purchasing a new device, we only recommend purchasing a Google Pixel.
-
-When purchasing a device, we recommend getting one as new as possible. The software and firmware of mobile devices are only supported for a limited time, so buying new extends that lifespan as much as possible.
+The following OEMs are only mentioned as they have phones compatible with the operating systems recommended by us. If you are purchasing a new device, we only recommend purchasing a Google Pixel.
 
 #### OnePlus
 
@@ -166,8 +164,8 @@ Fairphone markets their devices as receiving 6 years of support. However, the So
 
     ??? downloads
 
-        [:fontawesome-brands-google-play:](https://play.google.com/store/apps/details?id=org.torproject.android){ .card-link title="Google Play" }
-        [:pg-f-droid:](https://guardianproject.info/fdroid){ .card-link title=F-Droid }
+        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android)
+        - [:pg-f-droid: F-Droid](https://guardianproject.info/fdroid)
 
 Orbot can proxy individual apps if they support SOCKS or HTTP proxying. It can also proxy all your network connections using [VpnService](https://developer.android.com/reference/android/net/VpnService) and can be used with the VPN killswitch in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**.
 
@@ -195,8 +193,8 @@ For resistance against traffic analysis attacks, consider enabling *Isolate Dest
 
     ??? downloads
 
-        [:fontawesome-brands-google-play:](https://play.google.com/store/apps/details?id=net.typeblog.shelter){ .card-link title="Google Play" }
-        [:pg-f-droid:](https://f-droid.org/en/packages/net.typeblog.shelter){ .card-link title=F-Droid }
+        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter)
+        - [:pg-f-droid: F-Droid](https://f-droid.org/en/packages/net.typeblog.shelter)
 
 !!! warning
 
@@ -223,8 +221,8 @@ For resistance against traffic analysis attacks, consider enabling *Isolate Dest
 
     ??? downloads
 
-        [:fontawesome-brands-google-play:](https://play.google.com/store/apps/details?id=app.attestation.auditor){ .card-link title="Google Play" }
-        [:fontawesome-brands-github:](https://github.com/GrapheneOS/Auditor/releases){ .card-link title=GitHub }
+        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor)
+        - [:fontawesome-brands-github: GitHub](https://github.com/GrapheneOS/Auditor/releases)
 
 Auditor performs attestation and intrusion detection by:
 
@@ -255,8 +253,8 @@ To make sure that your hardware and operating system is genuine, [perform local
 
     ??? downloads
 
-        [:fontawesome-brands-google-play:](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play){ .card-link title="Google Play" }
-        [:fontawesome-brands-github:](https://github.com/GrapheneOS/Camera/releases){ .card-link title=GitHub }
+        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play)
+        - [:fontawesome-brands-github: GitHub](https://github.com/GrapheneOS/Camera/releases)
 
 Main privacy features include:
 
@@ -287,8 +285,8 @@ Main privacy features include:
 
     ??? downloads
 
-        [:fontawesome-brands-google-play:](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play){ .card-link title="Google Play" }
-        [:fontawesome-brands-github:](https://github.com/GrapheneOS/PdfViewer/releases){ .card-link title=GitHub }
+        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play)
+        - [:fontawesome-brands-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases)
 
 ### PrivacyBlur
 
@@ -305,8 +303,8 @@ Main privacy features include:
 
     ??? downloads
 
-        [:fontawesome-brands-google-play:](https://play.google.com/store/apps/details?id=de.mathema.privacyblur){ .card-link title="Google Play" }
-        [:pg-f-droid:](https://f-droid.org/en/packages/de.mathema.privacyblur/){ .card-link title=F-Droid }
+        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur)
+        - [:pg-f-droid: F-Droid](https://f-droid.org/en/packages/de.mathema.privacyblur/)
 
 !!! warning
 
@@ -357,8 +355,8 @@ To mitigate these problems, we recommend [Neo Store](https://github.com/NeoAppli
 
     ??? downloads
 
-        [:fontawesome-brands-android:](https://android.izzysoft.de/repo/apk/com.looker.droidify){ .card-link title="IzzyOnDroid (APK)" }
-        [:fontawesome-brands-github:](https://github.com/NeoApplications/Neo-Store/releases){ .card-link title=GitHub }
+        - [:fontawesome-brands-android: IzzyOnDroid (APK)](https://android.izzysoft.de/repo/apk/com.looker.droidify)
+        - [:fontawesome-brands-github: GitHub](https://github.com/NeoApplications/Neo-Store/releases)
 
 ### Manually with RSS Notifications
 

docs/android/grapheneos-vs-calyxos.en.md

@@ -10,21 +10,29 @@ GrapheneOS extends the user profile feature, allowing you to end a current sessi
 
 ## Sandboxed Google Play vs Privileged microG
 
-When Google Play services are used on GrapheneOS, they run as a user app and are contained within a user or work profile.
+When Google Play services are used on GrapheneOS, they run as a user app and are contained within a user or work profile. Sandboxed Google Play is confined using the highly restrictive, default [`untrusted_app`](https://source.android.com/security/selinux/concepts) domain provided by [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux). Permissions for apps to use Google Play Services can be revoked at any time.
 
-Sandboxed Google Play is confined using the highly restrictive, default [`untrusted_app`](https://source.android.com/security/selinux/concepts) domain provided by [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux). Permissions for apps to use Google Play Services can be revoked at any time.
+microG is a partially open-source re-implementation of Google Play Services.[^1] On CalyxOS, it runs in the highly privileged [`system_app`](https://source.android.com/security/selinux/concepts) SELinux domain like regular Google Play Services, and it uses [signature spoofing](https://github.com/microg/GmsCore/wiki/Signature-Spoofing) to masquerade as Google Play Services. This is less secure than Sandboxed Google Play's approach, which does not need access to sensitive system APIs.
 
-microG is an open-source re-implementation of Google Play Services. This means it needs to be updated every time Android has a major version update (or the Android API changes). It also needs to run in the highly privileged [`system_app`](https://source.android.com/security/selinux/concepts) SELinux domain like regular Google Play Services, and it requires an operating system that allows [signature spoofing](https://github.com/microg/GmsCore/wiki/Signature-Spoofing), which allows system apps to insecurely masquerade as other apps. This is less secure than Sandboxed Google Play's approach, which does not need access to sensitive system APIs.
-
-When using Sandboxed Play Services, you have the option to reroute location requests to the Play Services API back to the OS location API which uses satellite based location services. With microG, you have the option to either not use a network location backend at all, *shift trust* to another location backend like Mozilla, or use [DejaVu](https://github.com/n76/DejaVu), a location backend that locally collects and saves RF-based location data to an offline database which can be used when GPS is not available.
+When using Sandboxed Play Services, you have the option to reroute location requests to the Play Services API back to the OS location API, which uses satellite based location services. With microG, you have the option to choose between different backend location providers, including *shifting trust* to another location backend, like Mozilla; using [DejaVu](https://github.com/n76/DejaVu), a location backend that locally collects and saves RF-based location data to an offline database which can be used when GPS is not available; or to simply not use a network location backend at all.
 
 Network location providers like Play Services or Mozilla rely the on the MAC addresses of surrounding WiFi access points and Bluetooth devices being submitted for location approximation. Choosing a network location like Mozilla to use with microG provides little to no privacy benefit over Google because you are still submitting the same data and trusting them to not profile you.
 
-Local RF location backends like DejaVu require that the phone has a working GPS first for the local RF data collected to be useful. This makes them ineffective as location providers, as the job of a location provider is to assist location approximation when satellite based services are not working.
+Local RF location backends like DejaVu require that the phone has a working GPS first for the local RF data collected to be useful. This makes them less effective as location providers, as the job of a location provider is to assist location approximation when satellite based services are not working.
 
 If your threat model requires protecting your location or the MAC addresses of nearby devices, rerouting location requests to the OS location API is probably the best option. The benefit brought by microG's custom location backend is minimal at best when compared to Sandboxed Play Services.
 
-In terms of application compatibility, Sandboxed Google Play outperforms microG due to its support for many services which microG has not yet implemented, like [Google Play Games](https://play.google.com/googleplaygames) and [In-app Billing API](https://android-doc.github.io/google/play/billing/api.html). Authentication using [FIDO](basics/multi-factor-authentication#fido-fast-identity-online) with online services on Android also relies on Play Services, and the feature is not yet implemented in microG.
+In terms of application compatibility, Sandboxed Google Play on GrapheneOS outperforms microG on CalyxOS due to its support for many services which microG has not yet implemented, like [Google Play Games](https://play.google.com/googleplaygames) and [In-app Billing API](https://android-doc.github.io/google/play/billing/api.html). Larger apps, especially games, require Play Delivery to be installed, which is currently not implemented in microG. Authentication using [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) with online services on Android also relies on Play Services, and does not currently work with microG.
+
+[^1]: It should be noted that microG still uses proprietary Google binaries for some of its components such as DroidGuard. Push notifications, if enabled, still go through Google's servers just like with Play Services. Outisde of default microG setups like on CalyxOS, it is possible to run microG in the unprivileged `untrusted app` SELinux domain and without the signature spoofing patch. However, microG's functionality and compatibility, which is already not nearly as broad as Sandboxed Play Services, will greatly diminish.
+
+## Privileged eSIM Activation Application
+
+Currently, eSIM activation is tied to a privileged proprietary application by Google. The app has the `READ_PRIVILEGED_PHONE_STATE` permission, giving Google access to your hardware identifiers such as the IMEI.
+
+On GrapheneOS, the app comes disabled, and can be *optionally* enabled by the user after they have installed Sandboxed Play Services.
+
+On CalyxOS, the app comes installed by default (regardless of whether you choose to have microG or not) and cannot be opted out. This is particularly problematic, as it means Google still has access to the user's hardware identifiers regardless of whether they even need the eSIM activation or not, and can access them persistently.
 
 ## Privileged App Extensions
 
@@ -34,11 +42,11 @@ GrapheneOS does not include F-Droid, because all updates have to be manually ins
 
 CalyxOS includes the [privileged extension](https://f-droid.org/en/packages/org.fdroid.fdroid.privileged), which may lower device security. Seamless app updates should be possible with [Aurora Store](https://auroraoss.com) in Android 12.
 
-## Additional hardening
+## Additional Hardening
 
 GrapheneOS improves upon [AOSP](https://source.android.com/) security with:
 
-- **Hardened WebView:** Vanadium WebView requires [64-bit](https://en.wikipedia.org/wiki/64-bit_computing) processes on the [WebView](https://developer.android.com/reference/android/webkit/WebView) process and disables legacy [32-bit](https://en.wikipedia.org/wiki/32-bit_computing) processes. It uses hardened compiler options such as [`-fwrapv`](https://gcc.gnu.org/onlinedocs/gcc/Code-Gen-Options.html) and [`-fstack-protector-strong`](https://gcc.gnu.org/onlinedocs/gcc-4.9.3/gcc/Optimize-Options.html), which can help protect against [stack buffer overflows](https://en.wikipedia.org/wiki/Stack_buffer_overflow). [API](https://en.wikipedia.org/wiki/API)s such as the [battery status API](https://chromestatus.com/feature/4537134732017664) are disabled for privacy reasons. All system apps on GrapheneOS use the Vanadium WebView which means that apps which use WebView will also benefit from Vanadium's hardening. The [Vanadium patch set](https://github.com/GrapheneOS/Vanadium/tree/12/patches) is a lot more comprehensive than CalyxOS's [Chromium patch set](https://gitlab.com/CalyxOS/chromium-patches) which is derived from it.
+- **Hardened WebView:** Vanadium WebView requires [64-bit](https://en.wikipedia.org/wiki/64-bit_computing) processes on the [WebView](https://developer.android.com/reference/android/webkit/WebView) process and disables legacy [32-bit](https://en.wikipedia.org/wiki/32-bit_computing) processes. It uses hardened compiler options such as [`-fwrapv`](https://gcc.gnu.org/onlinedocs/gcc/Code-Gen-Options.html) and [`-fstack-protector-strong`](https://gcc.gnu.org/onlinedocs/gcc-4.9.3/gcc/Optimize-Options.html), which can help protect against [stack buffer overflows](https://en.wikipedia.org/wiki/Stack_buffer_overflow). [API](https://en.wikipedia.org/wiki/API)s such as the [battery status API](https://chromestatus.com/feature/4537134732017664) are disabled for privacy reasons. All system apps on GrapheneOS use the Vanadium WebView which means that apps which use WebView will also benefit from Vanadium's hardening. The [Vanadium patch set](https://github.com/GrapheneOS/Vanadium) is a lot more comprehensive than CalyxOS's [Chromium patch set](https://gitlab.com/CalyxOS/chromium-patches) which is derived from it.
 - **Hardened Kernel:** GrapheneOS kernel includes some hardening from the [linux-hardened](https://github.com/GrapheneOS/linux-hardened) project and the [Kernel Self Protection Project (KSPP)](https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project). CalyxOS uses the [same kernel](https://calyxos.org/docs/development/build/kernel/) as regular Android with some minor modifications.
 - **Hardened Memory Allocator:** GrapheneOS uses the [hardened malloc](https://github.com/GrapheneOS/hardened_malloc) subproject as its memory allocator. This focuses on hardening against [memory heap corruption](https://en.wikipedia.org/wiki/Memory_corruption). CalyxOS uses the default AOSP [Scudo Malloc](https://source.android.com/devices/tech/debug/scudo), which is generally [less effective](https://twitter.com/danielmicay/status/1033671709197398016). Hardened Malloc has uncovered vulnerabilities in AOSP which have been [fixed](https://github.com/GrapheneOS/platform_system_core/commit/be11b59725aa6118b0e1f0712572e835c3d50746) by GrapheneOS such as [CVE-2021-0703](https://nvd.nist.gov/vuln/detail/CVE-2021-0703).
 - **Secure Exec Spawning:** GrapheneOS [spawns](https://en.wikipedia.org/wiki/Spawn_(computing)) fresh processes as opposed to using the [Zygote model](https://ayusch.com/android-internals-the-android-os-boot-process) used by AOSP and CalyxOS. The Zygote model weakens [Address Space Layout Randomization](https://en.wikipedia.org/wiki/Address_space_layout_randomization) (ASLR) and is considered [less secure](https://wenke.gtisc.gatech.edu/papers/morula.pdf). Creating [fresh processes](https://grapheneos.org/usage#exec-spawning) is safer but will have some performance penalty when launching a new application. These penalties are not really noticeable unless you have an [old device](https://support.google.com/nexus/answer/4457705) with slow storage such as the Pixel 3a/3a XL as it has [eMMC](https://en.wikipedia.org/wiki/MultiMediaCard#eMMC).

docs/android/overview.en.md

@@ -50,7 +50,7 @@ It's important to not use an [end-of-life](https://endoflife.date/android) versi
 
 [Permissions on Android](https://developer.android.com/guide/topics/permissions/overview) grant you control over what apps are allowed to access. Google regularly makes [improvements](https://developer.android.com/about/versions/11/privacy/permissions) on the permission system in each successive version. All apps you install are strictly [sandboxed](https://source.android.com/security/app-sandbox), therefore there is no need to install any antivirus apps. The savings you make from not purchasing or subscribing to security apps is better spent on paying for a supported device in the future.
 
-Should you want to run an app that you're unsure about, consider using a user or work [profile](android/#android-security-privacy).
+Should you want to run an app that you're unsure about, consider using a user or work profile.
 
 ## User Profiles
 

docs/assets/rainbow-brand/privacy-guides-logo-notext.svg

@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE svg  PUBLIC '-//W3C//DTD SVG 1.1//EN'  'http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd'>
+<svg clip-rule="evenodd" fill-rule="evenodd" stroke-linejoin="round" stroke-miterlimit="2" version="1.1" viewBox="0 0 33 34" xml:space="preserve" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+    <path d="m4.581 4.337c-0.113 0.379-0.049 0.822 0.077 1.707l1.604 11.224c0.277 1.939 0.415 2.909 0.782 3.775 0.325 0.768 0.781 1.474 1.346 2.087 0.638 0.691 1.465 1.217 3.117 2.269l2.349 1.495c1.126 0.716 1.69 1.075 2.295 1.214 0.465 0.108 0.947 0.121 1.416 0.042-0.388-0.887-0.603-1.867-0.603-2.897 0-3.996 3.24-7.236 7.236-7.236 1.166 0 2.268 0.276 3.243 0.766 0.069-0.432 0.14-0.929 0.223-1.514v-1e-3l1.604-11.224c0.126-0.885 0.19-1.328 0.077-1.707-0.099-0.334-0.292-0.632-0.557-0.859-0.3-0.257-0.73-0.38-1.59-0.626l-9.441-2.697c-0.296-0.085-0.444-0.127-0.594-0.144-0.134-0.015-0.268-0.015-0.402 0-0.15 0.017-0.298 0.059-0.594 0.144l-9.441 2.697c-0.86 0.246-1.29 0.369-1.59 0.626-0.265 0.227-0.458 0.525-0.557 0.859z" fill="#ffd06f"/>
+    <clipPath id="_clip1">
+        <path d="m4.581 4.337c-0.113 0.379-0.049 0.822 0.077 1.707l1.604 11.224c0.277 1.939 0.415 2.909 0.782 3.775 0.325 0.768 0.781 1.474 1.346 2.087 0.638 0.691 1.465 1.217 3.117 2.269l2.349 1.495c1.126 0.716 1.69 1.075 2.295 1.214 0.465 0.108 0.947 0.121 1.416 0.042-0.388-0.887-0.603-1.867-0.603-2.897 0-3.996 3.24-7.236 7.236-7.236 1.166 0 2.268 0.276 3.243 0.766 0.069-0.432 0.14-0.929 0.223-1.514v-1e-3l1.604-11.224c0.126-0.885 0.19-1.328 0.077-1.707-0.099-0.334-0.292-0.632-0.557-0.859-0.3-0.257-0.73-0.38-1.59-0.626l-9.441-2.697c-0.296-0.085-0.444-0.127-0.594-0.144-0.134-0.015-0.268-0.015-0.402 0-0.15 0.017-0.298 0.059-0.594 0.144l-9.441 2.697c-0.86 0.246-1.29 0.369-1.59 0.626-0.265 0.227-0.458 0.525-0.557 0.859z"/>
+    </clipPath>
+    <g clip-path="url(#_clip1)">
+        <use transform="scale(.99533 .97244)" x="4.544" width="24.883px" height="28.201px" xlink:href="#_Image2"/>
+    </g>
+    <path d="m13.246 2.719c0.066-7e-3 0.134-7e-3 0.201 0 0.057 7e-3 0.122 0.022 0.446 0.114l9.44 2.698c0.444 0.126 0.727 0.208 0.94 0.287 0.202 0.075 0.274 0.124 0.311 0.156 0.132 0.113 0.229 0.262 0.278 0.429 0.014 0.047 0.03 0.133 0.016 0.348-0.015 0.226-0.056 0.518-0.122 0.974l-1.346 9.426c-4.125 0.397-7.351 3.873-7.351 8.102 0 0.835 0.126 1.641 0.36 2.4l-0.451 0.286c-1.183 0.753-1.594 1.001-2.012 1.097-0.401 0.092-0.818 0.092-1.22 0-0.417-0.096-0.829-0.344-2.012-1.097l-2.349-1.494c-1.693-1.078-2.398-1.535-2.938-2.12-0.495-0.536-0.894-1.153-1.178-1.825-0.31-0.733-0.436-1.564-0.72-3.551l-1.603-11.224c-0.066-0.456-0.107-0.748-0.121-0.974-0.015-0.215 1e-3 -0.301 0.015-0.348 0.05-0.167 0.146-0.316 0.279-0.429 0.036-0.032 0.109-0.081 0.31-0.156 0.213-0.079 0.496-0.161 0.94-0.287l9.44-2.698c0.324-0.092 0.389-0.107 0.447-0.114zm13.306 5.231-1.318 9.228c4.007 0.508 7.106 3.93 7.106 8.075 0 4.496-3.644 8.141-8.14 8.141-3.01 0-5.639-1.634-7.048-4.064l-0.212 0.136-0.135 0.085c-0.996 0.634-1.683 1.072-2.443 1.248-0.668 0.154-1.364 0.154-2.032 0-0.76-0.176-1.447-0.614-2.443-1.248l-0.134-0.085-2.466-1.57c-1.541-0.98-2.461-1.565-3.179-2.344-0.637-0.689-1.149-1.483-1.515-2.347-0.413-0.976-0.567-2.054-0.825-3.863l-1.628-11.392c-0.059-0.416-0.111-0.778-0.131-1.081-0.021-0.323-0.012-0.648 0.087-0.98 0.148-0.501 0.439-0.949 0.835-1.289 0.264-0.226 0.557-0.366 0.86-0.478 0.285-0.106 0.636-0.206 1.04-0.322l0.031-9e-3 9.44-2.697 0.05-0.014c0.247-0.071 0.465-0.133 0.693-0.159 0.2-0.022 0.402-0.022 0.603 0 0.227 0.026 0.445 0.088 0.692 0.159l0.05 0.014 9.471 2.706c0.404 0.116 0.755 0.216 1.04 0.322 0.304 0.112 0.596 0.252 0.86 0.478 0.397 0.34 0.687 0.788 0.835 1.289 0.099 0.332 0.108 0.657 0.087 0.98-0.02 0.303-0.072 0.665-0.131 1.08v1e-3zm-2.352 10.972c-3.497 0-6.332 2.835-6.332 6.331 0 3.497 2.835 6.332 6.332 6.332s6.331-2.835 6.331-6.332c0-3.496-2.834-6.331-6.331-6.331zm4.313 4.197c0.319-0.384 0.268-0.954-0.116-1.274s-0.954-0.268-1.274 0.116l-3.888 4.666-2.013-2.013c-0.354-0.353-0.926-0.353-1.28 0-0.353 0.353-0.353 0.926 0 1.279l2.714 2.713c0.18 0.18 0.427 0.276 0.68 0.264 0.254-0.011 0.492-0.129 0.654-0.324l4.523-5.427zm-19.689-10.529c0-2.497 2.024-4.522 4.522-4.522s4.522 2.025 4.522 4.522c0 1.48-0.71 2.794-1.809 3.619v3.617c0 1.499-1.214 2.714-2.713 2.714s-2.713-1.215-2.713-2.714v-3.617c-1.099-0.825-1.809-2.139-1.809-3.619zm5.426 4.523h-1.808v2.713c0 0.5 0.405 0.905 0.904 0.905 0.5 0 0.904-0.405 0.904-0.905v-2.713zm-0.904-1.809c1.499 0 2.713-1.215 2.713-2.714 0-1.498-1.214-2.713-2.713-2.713s-2.713 1.215-2.713 2.713c0 1.499 1.214 2.714 2.713 2.714z" fill="#28323f"/>
+    <defs>
+        <image id="_Image2" width="25px" height="29px" xlink:href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABkAAAAdCAYAAABfeMd1AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAAa0lEQVRIiWP8U1b2n4HGgInWFgwvS1gYhOhgCbMp7S0ZPnFCp4gXpYclivSwhA4BNowi/vBzZtpbsuUBK80tGT5xQqcc/y6UDpZ806G5JcMoThj/07xFxMBid+sE7S1h+/ub5pYMn4iniyUAs5sPQ3yZHVsAAAAASUVORK5CYII="/>
+    </defs>
+</svg>

docs/assets/stylesheets/blog.css

@@ -0,0 +1,34 @@
+/* Homepage hero section */
+
+.mdx-hero {
+    color: var(--pg-hero-color);
+    margin: 0 0.8rem;
+    text-align: center;
+}
+.mdx-hero h1 {
+    color: currentcolor;
+    margin-bottom: 1rem;
+    font-size: 2.6rem;
+}
+@media screen and (max-width: 29.9375em) {
+    .mdx-hero h1 {
+        font-size: 1.4rem;
+    }
+}
+.mdx-hero__content {
+    margin-top: 2rem;
+    padding-bottom: 0rem;
+}
+[data-md-color-scheme="slate"] .mdx-hero .md-button--primary {
+    color: var(--md-primary-fg-color);
+}
+.mdx-hero .md-button--primary {
+    color: var(--md-primary-fg-color);
+    background-color: var(--pg-hero-color);
+    border-color: transparent;
+    margin-right: 0.5rem;
+    margin-top: 0.5rem;
+}
+nav[class="md-tabs"] {
+    border-bottom: none;
+}

docs/assets/stylesheets/extra.css

@@ -211,13 +211,31 @@ h1, h2, h3, .md-header__topic {
     right:auto;
 }
 
-.downloads p > a {
-    padding-left: 0.5em;
+.downloads > ul > li {
+    padding: 0.5em 0 !important;
 }
+
+.downloads > ul .twemoji {
+    width: .9rem
+}
+
 details[class="downloads annotate"] > p .md-annotation span span::before {
     vertical-align: 0;
 }
 
+.downloads > ul {
+    display: grid!important;
+    grid-template-columns: repeat(4, 1fr);
+    align-items: center;
+    list-style-type: none;
+}
+
+@media screen and (max-width: 600px) {
+  .downloads > ul {
+    grid-template-columns: repeat(2, 1fr);
+  }
+}
+
 /* Card links */
 .md-typeset .card-link {
     color: var(--md-default-fg-color--light);

docs/basics/account-deletion.en.md

@@ -50,7 +50,7 @@ For the account email, either create a new alternate email account via your prov
 
 You can check [JustDeleteMe](https://justdeleteme.xyz) for instructions on deleting the account for a specific service. Some sites will graciously have a "Delete Account" option, while others will go as far as to force you to speak with a support agent. The deletion process can vary from site to site, with account deletion being impossible on some.
 
-For services that don't allow account deletion, the best thing to do is falsify all your information as previously mentioned and strengthen account security. To do so, enable [MFA](basics/multi-factor-authentication) and any extra security features offered. As well, change the password to a randomly-generated one that is the maximum allowed size (a [password manager](/passwords/#local-password-managers) can be useful for this).
+For services that don't allow account deletion, the best thing to do is falsify all your information as previously mentioned and strengthen account security. To do so, enable [MFA](multi-factor-authentication.md) and any extra security features offered. As well, change the password to a randomly-generated one that is the maximum allowed size (a [password manager](/passwords/#local-password-managers) can be useful for this).
 
 If you're satisfied that all information you care about is removed, you can safely forget about this account. If not, it might be a good idea to keep the credentials stored with your other passwords and occasionally re-login to reset the password.
 

docs/basics/common-threats.en.md

@@ -28,7 +28,7 @@ Whistleblowers and journalists, for example, can have a much more extreme threat
 
 <span class="pg-orange">:material-bug-outline: Passive Attacks</span>
 
-Security and privacy are often conflated, because you need security to obtain any semblance of privacy: Using tools which appear private is futile if they could easily be exploited by attackers to release your data later. However, the inverse is not necessarily true; the most secure service in the world *isn't necessarily* private. The best example of this is trusting data to Google, who, given their scale, have had minimal security incidents by employing industry-leading security experts to secure their infrastructure. Even though Google provides a very secure service, very few would consider their data private in their hands.
+Security and privacy are often conflated, because you need security to obtain any semblance of privacy: Using tools which appear private is futile if they could easily be exploited by attackers to release your data later. However, the inverse is not necessarily true; the most secure service in the world *isn't necessarily* private. The best example of this is trusting data to Google, who, given their scale, have had minimal security incidents by employing industry-leading security experts to secure their infrastructure. Even though Google provides a very secure service, very few would consider their data private in Google's free consumer products (Gmail, YouTube etc).
 
 When it comes to application security, we generally do not (and sometimes cannot) know if the software that we use is malicious, or might one day become malicious. Even with the most trustworthy developers, there is generally no guarantee that their software does not have a serious vulnerability that could later be exploited.
 
@@ -38,7 +38,7 @@ To minimize the potential damage that a malicious piece of software can do, you
 
     Mobile operating systems are generally safer than desktop operating systems when it comes to application sandboxing. Apps cannot obtain root access and only have access to system resources which you grant them.
 
-    Desktop operating systems generally lag behind on proper sandboxing. Chrome OS has similar sandboxing properties to Android, and macOS has full system permission control and opt-in (for developers) sandboxing for applications, however these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make heavy use of VMs or containers, such as Qubes OS.
+    Desktop operating systems generally lag behind on proper sandboxing. Chrome OS has similar sandboxing properties to Android, and macOS has full system permission control and opt-in (for developers) sandboxing for applications, however these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make heavy use of virtual machines or containers, such as Qubes OS.
 
 <span class="pg-red">:material-target-account: Targeted Attacks</span>
 
@@ -48,7 +48,7 @@ Targeted attacks against a specific user are more problematic to deal with. Comm
 
     **Web browsers**, **email clients**, and **office applications** all typically run untrusted code sent to you from third-parties by design. Running multiple virtual machines to separate applications like these from your host system as well as each other is one technique you can use to avoid an exploit in these applications from compromising the rest of your system. Technologies like Qubes OS or Microsoft Defender Application Guard on Windows provide convenient methods to do this seamlessly, for example.
 
-If you are concerned about **physical attacks** you should use an operating system with a secure verified boot implementation, such as Android, iOS, or macOS. You should also make sure that your drive is encrypted, and that the operating system uses a TPM or Secure Element for rate limiting attempts to enter the encryption passphrase. You should avoid sharing your computer with people you don't trust, because most desktop operating systems do not encrypt data separately per-user.
+If you are concerned about **physical attacks** you should use an operating system with a secure verified boot implementation, such as Android, iOS, macOS, [Windows (with TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process). You should also make sure that your drive is encrypted, and that the operating system uses a TPM or Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) or [Element](https://developers.google.com/android/security/android-ready-se) for rate limiting attempts to enter the encryption passphrase. You should avoid sharing your computer with people you don't trust, because most desktop operating systems do not encrypt data separately per-user.
 
 ## Privacy From Service Providers
 
@@ -157,6 +157,36 @@ Focusing solely on the privacy policies and marketing of a tool or provider can
 
 The privacy policies and business practices of a provider you choose are very important, but should be considered secondary to technical guarantees of your privacy: Don't elect to merely shift trust to another provider when trusting a provider isn't a requirement at all.
 
+:material-numeric-4-circle: **Complicated is better**
+
+We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with a lot of moving parts and conditions. The replies are usually answers to, "What is the best way to do X?".
+
+Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. Below, we provide some tips:
+
+1. <mark>Actions need to serve a particular purpose</mark>, think about how to do what you want with the least amount of actions.
+2. <mark>Remove human failure points</mark> (don't have a bunch of conditions you must remember to do what with which accounts). Humans fail, they get tired, they forget things... don't have many conditions or manual processes you must remember in order to maintain operational security.
+3. <mark>Use the right level of protection for what you intend.</mark> We often see recommendations of so-called law-enforcement, subpoena proof solutions. These require a lot of special case knowledge (knowing about how things truly work under the hood) and are generally not what people want. There is no point in building an intricately anonymous threat model if you can be easily de-anonymized by a simple oversight.
+
+So, how might this look?
+
+One of the clearest threat models is one where people *know who you are* and one where they do not. There will always be situations where you must declare your legal name and places where you can get away without doing so.
+
+1. **Known identity** - A known identity is used for things where you must declare your name. There are many such legal documents and contracts where a legal identity is required. This could range from opening a bank account, signing a property lease, obtaining a passport, a customs declaration when importing an item or otherwise dealing with your Government. These things will usually always lead back credentials such as credit cards, credit rating checks, account numbers and possibly physical addresses.
+
+    We don't suggest using a VPN or Tor for any of these things as your identity is already known through other means.
+
+    !!! tip
+
+        When shopping online, the use of a [parcel locker](https://en.wikipedia.org/wiki/Parcel_locker) can help keep your physical address private.
+
+2. **Unknown identity** - An unknown identity could be a stable pseudonym that you regularly use. It is not anonymous because it doesn't change. If you're a part of an online community you may wish to retain persona that others know. The reason this is not anonymous is because if monitored over a period of time details about the owner may reveal further information, such as the way they write (lingustics), general knowledge about topics of interest etc.
+
+    You may wish to use a VPN for this to mask your IP address. Financial transactions are more difficult and for this we'd suggest using anonymous cryptocurrencies such as Monero. Employing alt-coin shifting may also help disguise where your currency originated. Typically exchanges require KYC (know your customer) to be completed before they will allow you to exchange fiat currency into any kind of cryptocurrency. Local meet-up options may also be a solution, however those often are more expensive and sometimes also require KYC.
+
+3. **Anonymous identity** - Anonymous identities are difficult to maintain over long periods of time for even the most experienced. They should be short-term and short lived identities which are rotated regularly.
+
+    Using Tor can help with this, it's also worth noting greater anonymity is possible through asynchronous (not real time communication). Real time communication is vulnerable to typing analysis patterns more than a slab of text distributed on a forum, email) etc that you've had time to think about, maybe even put through a translator and back again.
+
 [^1]: United States Privacy and Civil Liberties Oversight Board: [Report on the Telephone Records Program Conducted under Section 215](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf)
 [^2]: Wikipedia: [Surveillance capitalism](https://en.wikipedia.org/wiki/Surveillance_capitalism)
 [^3]: "[Enumerating badness](https://www.ranum.com/security/computer_security/editorials/dumb/)" (or, "listing all the bad things that we know about") as many adblockers and antivirus programs do, fails to adequately protect you from new and unknown threats because they have not yet been added to the filter list. You need to additionally employ other mitigation techniques to be fully protected.

docs/basics/tor-overview.md

@@ -0,0 +1,58 @@
+---
+title: "Tor Overview"
+icon: 'pg/tor'
+---
+
+Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. If used properly, the network enables private and anonymous browsing and communications.
+
+## Path Building
+
+Tor works by routing your traffic through a network comprised of thousands of volunteer-run servers called nodes (or relays).
+
+Every time you connect to Tor, it will choose three nodes to build a path to the internet—this path is called a "circuit." Each of these nodes has its own function:
+
+- **The Entry Node**: Often called the guard node, this is the first node your computer connects to. The entry node sees your IP address, but does not see what you are connecting to. Unlike the other nodes, the Tor client will randomly select an entry node, and stick with it for 2 to 3 months to protect you from certain attacks.
+- **The Middle Node**: The second node to which your Tor client connects. This node can see which node traffic came from (the entry node) and which it goes to next. It does not, however, see your IP address, or the domain you are connecting to. This node is randomly picked from all Tor nodes for each circuit.
+- **The Exit Node**: This is where your traffic leaves the Tor network and is forwarded to your desired destination. The exit node does not know your IP (who you are) but it knows what you are connecting to. The exit node will, like the middle node, be chosen at random from the Tor nodes (if it runs with an exit flag).
+
+<figure markdown>
+  ![Tor path](../assets/img/how-tor-works/tor-path.svg#only-light)
+  ![Tor path](../assets/img/how-tor-works/tor-path-dark.svg#only-dark)
+  <figcaption>Tor circuit pathway</figcaption>
+</figure>
+
+## Encryption
+
+Tor encrypts each packet three times, with the keys from the exit, middle, and entry node in that order. Once Tor has built a circuit, browsing is done as follows:
+
+1. When the packet arrives at the entry node the first layer of encryption is removed. In this encrypted packet it will find another encrypted packet with the middle node’s address. The entry node will then forward that to the middle node.
+
+2. When the middle node receives the packet from the entry node, it too will remove a layer of encryption with its key, and find an encrypted packet with the exit nodes address. The middle node will then forward the packet to exit node.
+
+3. When the exit node receives its packet, it will remove the last layer of encryption with its key. The exit node will see the destination address and forward the packet to that address.
+
+Here is an alternative visualization of the process. Note how each node removes its own layer of encryption, and when the destination website returns data, the same process happens entirely in reverse. For example, the exit node does not know who you are, but it does know which node it came from, and so it adds its own layer of encryption and sends it back.
+
+<figure markdown>
+  ![Tor encryption](../assets/img/how-tor-works/tor-encryption.svg#only-light)
+  ![Tor encryption](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark)
+  <figcaption>Sending and recieving data through the Tor Network</figcaption>
+</figure>
+
+So, what do we learn from this? We learn that Tor allows us to connect to a website without any single party knowing the entire path. The entry node knows who you are, but not where you are going; the middle node doesn’t know who you are or where you are going; and the exit node knows where you are going, but not who you are. Because the exit node makes the connection, the destination website will never know who you are (your IP address).
+
+## Drawbacks
+
+Even with the strong privacy guarantees that Tor provides, one must be aware that Tor is not infallible. Global adversaries with the capability to passively watch most network traffic over the globe have a chance of deanonymizing Tor via advanced traffic analysis. Furthermore, Tor does not protect you from exposing yourself. If you share to much data about your real identity, you may be deanonymized.
+
+Another downside is that exit nodes can watch your traffic, even if they do not know where it came from. This is especially problematic for websites which do not utilize HTTPS, meaning that the exit node can read all data that’s being sent through it. This in turn can lead to deanonymization if the traffic contains personal data.
+
+We recommend using HTTPS over Tor where possible, but do not alter any settings inside Tor Browser aside from the built-in security slider, including not manually enabling HTTPS only mode, as this can be used for browser fingerprinting.
+
+If you are interested in trying out Tor we recommend using the official Tor Browser. Keep in mind that you should expect added network latency and reduced bandwidth because of the multi-hop routing nature of Tor.
+
+## Further Reading
+
+- [Tor Browser manual](https://tb-manual.torproject.org/about/)
+- Tor network [video explanation](https://www.youtube-nocookie.com/embed/QRYzre4bf7I) by Computerphile
+- Hidden service [video explanation](https://www.youtube-nocookie.com/embed/lVcbq_a5N9I) by Computerphile

docs/basics/vpn-overview.en.md

@@ -5,7 +5,7 @@ icon: material/vpn
 
 Virtual Private Networks are a way of extending the end of your network to exit somewhere else in the world. An ISP can see the flow of internet traffic entering and exiting your network termination device (ie. modem).
 
-Encryption protocols such as HTTPS are commonly used on the internet, so they may not be able to see exactly what you're posting or reading but they can get an idea of the [domains you request](/basics/dns.md/#why-shouldnt-i-use-encrypted-dns).
+Encryption protocols such as HTTPS are commonly used on the internet, so they may not be able to see exactly what you're posting or reading but they can get an idea of the [domains you request](dns-overview.md#why-shouldnt-i-use-encrypted-dns).
 
 A VPN can help as it can shift trust to a server somewhere else in the world. As a result, the ISP then only sees that you are connected to a VPN and nothing about the activity that you're passing into it.
 
@@ -33,7 +33,7 @@ Needless to say, **you shouldn't use encrypted DNS with Tor**. This would direct
 
 ## Should I use Tor *and* a VPN?
 
-By using a VPN with Tor, you're creating essentially a permanent entry node, often with a money trail attached. This provides zero additional benefit to you, while increasing the attack surface of your connection dramatically. If you wish to hide your Tor usage from your ISP or your government, Tor has a built-in solution for that: Tor bridges. [Read more about Tor bridges and why using a VPN is not necessary](https://web.archive.org/web/20210116140725/https://write.privacytools.io/my-thoughts-on-security/slicing-onions-part-2-onion-recipes-vpn-not-required).
+By using a VPN with Tor, you're creating essentially a permanent entry node, often with a money trail attached. This provides zero additional benefit to you, while increasing the attack surface of your connection dramatically. If you wish to hide your Tor usage from your ISP or your government, Tor has a built-in solution for that: Tor bridges. [Read more about Tor bridges and why using a VPN is not necessary](tor-overview.md).
 
 ## What if I need anonymity?
 
@@ -59,28 +59,15 @@ For use cases like these, or if you have another compelling reason, the VPN prov
 
 1. [VPN - a Very Precarious Narrative](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) by Dennis Schubert
 2. [The self-contained networks](../self-contained-networks.md) recommended by Privacy Guides are able to replace a VPN that allows access to services on local area network
-3. [Slicing Onions: Part 1 – Myth-busting Tor](https://medium.com/privacyguides/slicing-onions-part-1-myth-busting-tor-9ec188ae1904) by blacklight447
-4. [Slicing Onions: Part 2 – Onion recipes; VPN not required](https://web.archive.org/web/20210116140725/https://write.privacytools.io/my-thoughts-on-security/slicing-onions-part-2-onion-recipes-vpn-not-required) by blacklight447
-5. [IVPN Privacy Guides](https://www.ivpn.net/privacy-guides)
-6. ["Do I need a VPN?"](https://www.doineedavpn.com), a tool developed by IVPN to challenge aggressive VPN marketing by helping individuals decide if a VPN is right for them.
+3. [Tor Network Overview](tor-overview.md) by blacklight447
+4. [IVPN Privacy Guides](https://www.ivpn.net/privacy-guides)
+5. ["Do I need a VPN?"](https://www.doineedavpn.com), a tool developed by IVPN to challenge aggressive VPN marketing by helping individuals decide if a VPN is right for them.
 
 ## Related VPN Information
 
-- [The Trouble with VPN and Privacy Review Sites](https://medium.com/privacyguides/the-trouble-with-vpn-and-privacy-review-sites-ae9b29eda8fd)
-- [Proxy.sh VPN Provider Sniffed Server Traffic to Catch Hacker](https://torrentfreak.com/proxy-sh-vpn-provider-monitored-traffic-to-catch-hacker-130930/)
-- [blackVPN announced to delete connection logs after disconnection](https://medium.com/@blackVPN/no-logs-6d65d95a3016)
-- [Don't use LT2P IPSec, use other protocols.](https://gist.github.com/kennwhite/1f3bc4d889b02b35d8aa)
+- [The Trouble with VPN and Privacy Review Sites](https://jonaharagon.com/2019/11/the-trouble-with-vpn-and-privacy-review-sites/)
 - [Free VPN App Investigation](https://www.top10vpn.com/free-vpn-app-investigation/)
 - [Hidden VPN owners unveiled: 101 VPN products run by just 23 companies](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/)
 - [This Chinese company is secretly behind 24 popular apps seeking dangerous permissions](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/)
 
-## VPN Security Breaches
-
-Some examples of why external security auditing is important:
-
-- ["Zero logs" VPN exposes millions of logs including user passwords, claims data is anonymous](https://www.comparitech.com/blog/vpn-privacy/ufo-vpn-data-exposure/) July 2020
-- [NordVPN HTTP POST bug exposed customer information, no authentication required](https://www.zdnet.com/article/nordvpn-http-post-bug-exposed-sensitive-customer-information/) March 2020
-- [Row erupts over who to blame after NordVPN says: One of our servers was hacked via remote management tool](https://www.theregister.com/2019/10/21/nordvpn_security_issue/) October 2019
-- [VPN servers seized by Ukrainian authorities weren't encrypted and allowed authorities to impersonate Windscribe servers and capture and decrypt traffic passing through them](https://arstechnica.com/gadgets/2021/07/vpn-servers-seized-by-ukrainian-authorities-werent-encrypted/) July 2021
-
 --8<-- "includes/abbreviations.en.md"

docs/browsers.en.md

@@ -24,12 +24,12 @@ These are our currently recommended web browsers and configurations. In general,
 
     ??? downloads
 
-        [:fontawesome-brands-windows:](https://www.torproject.org/download/){ title=Windows }
-        [:fontawesome-brands-apple:](https://www.torproject.org/download/){ title=macOS }
-        [:fontawesome-brands-linux:](https://www.torproject.org/download/){ title=Linux }
-        [:pg-flathub:](https://flathub.org/apps/details/com.github.micahflee.torbrowser-launcher){ title=Flatpak }
-        [:fontawesome-brands-google-play:](https://play.google.com/store/apps/details?id=org.torproject.torbrowser){ title="Google Play" }
-        [:pg-f-droid:](https://guardianproject.info/fdroid/){ title=F-Droid }
+        - [:fontawesome-brands-windows: Windows](https://www.torproject.org/download/)
+        - [:fontawesome-brands-apple: macOS](https://www.torproject.org/download/)
+        - [:fontawesome-brands-linux: Linux](https://www.torproject.org/download/)
+        - [:pg-flathub: Flatpak](https://flathub.org/apps/details/com.github.micahflee.torbrowser-launcher)
+        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser)
+        - [:pg-f-droid: F-Droid](https://guardianproject.info/fdroid/)
 
 !!! danger
     You should **never** install any additional extensions on Tor Browser, including the ones we suggest for Firefox. Browser extensions make you stand out from others on the Tor network, thus making your browser easier to [fingerprint](https://support.torproject.org/glossary/browser-fingerprinting).
@@ -52,10 +52,10 @@ These are our currently recommended web browsers and configurations. In general,
 
     ??? downloads
 
-        [:fontawesome-brands-windows:](https://www.mozilla.org/firefox/windows){ title=Windows }
-        [:fontawesome-brands-apple:](https://www.mozilla.org/firefox/mac){ title=macOS }
-        [:fontawesome-brands-linux:](https://www.mozilla.org/firefox/linux){ title=Linux }
-        [:pg-flathub:](https://flathub.org/apps/details/org.mozilla.firefox){ title=Flatpak }
+        - [:fontawesome-brands-windows: Windows](https://www.mozilla.org/firefox/windows)
+        - [:fontawesome-brands-apple: macOS](https://www.mozilla.org/firefox/mac)
+        - [:fontawesome-brands-linux: Linux](https://www.mozilla.org/firefox/linux)
+        - [:pg-flathub: Flatpak](https://flathub.org/apps/details/org.mozilla.firefox)
 
 !!! warning
     Firefox includes a unique [download token](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) in downloads from Mozilla's website and uses telemetry in Firefox to send the token. The token is **not** included in releases from the [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/).
@@ -132,9 +132,9 @@ The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of ca
 
     ??? downloads annotate
 
-        [:fontawesome-brands-windows:](https://brave.com/download/){ title=Windows }
-        [:fontawesome-brands-apple:](https://brave.com/download/){ title=macOS }
-        [:fontawesome-brands-linux:](https://brave.com/linux/){ title=Linux } (1)
+        - [:fontawesome-brands-windows: Windows](https://brave.com/download/)
+        - [:fontawesome-brands-apple: macOS](https://brave.com/download/)
+        - [:fontawesome-brands-linux: Linux](https://brave.com/linux/) (1)
 
     1. We advise against using the Flatpak version of Brave, as it replaces Chromium's sandbox with Flatpak's, which is less effective. Additionally, the package is not maintained by Brave Software, Inc.
 
@@ -235,7 +235,7 @@ On iOS, any app that can browse the web is [restricted](https://developer.apple.
 
     ??? downloads annotate
 
-        [:pg-f-droid:](https://www.bromite.org/fdroid){ title=F-Droid } (1)
+        - [:pg-f-droid: F-Droid](https://www.bromite.org/fdroid) (1)
 
     1. If you use [Neo Store](/android/#neo-store), you can enable the *Bromite repository* in:<br> :material-dots-vertical: → **Repositories**
 
@@ -332,9 +332,9 @@ We generally do not recommend installing any extensions as they increase your at
 
     ??? downloads
 
-        [:fontawesome-brands-firefox:](https://addons.mozilla.org/firefox/addon/ublock-origin/){ .card-link title=Firefox }
-        [:fontawesome-brands-chrome:](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm){ .card-link title=Chrome }
-        [:fontawesome-brands-edge:](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak){ .card-link title=Edge }
+        - [:fontawesome-brands-firefox: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/)
+        - [:fontawesome-brands-chrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm)
+        - [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak)
 
 We suggest leaving the extension in its default configuration. Additional filter lists can impact performance and may increase attack surface, so only apply what you need. If there is a [vulnerability in uBlock Origin](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css) a third party filter could add malicious rules that can potentially steal user data.
 
@@ -355,7 +355,7 @@ We suggest leaving the extension in its default configuration. Additional filter
 
     ??? downloads
 
-        [:fontawesome-brands-app-store-ios:](https://apps.apple.com/app/apple-store/id1047223162){ .card-link title="App Store" }
+        - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/app/apple-store/id1047223162)
 
 Additional filter lists do slow things down and may increase your attack surface, so only apply what you need.
 
@@ -379,9 +379,9 @@ There is also [AdGuard for iOS](https://adguard.com/en/adguard-ios/overview.html
 
     ??? downloads
 
-        [:fontawesome-brands-firefox:](https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/){ .card-link title=Firefox }
-        [:fontawesome-brands-chrome:](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie){ .card-link title=Chrome }
-        [:octicons-browser-16:](https://snowflake.torproject.org/embed){ .card-link title="Web (leave this page open to be a Snowflake proxy)" }
+        - [:fontawesome-brands-firefox: Firefox](https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/){ .card-link title=Firefox }
+        - [:fontawesome-brands-chrome: Chrome](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie){ .card-link title=Chrome }
+        - [:octicons-browser-16: Web](https://snowflake.torproject.org/embed "Leave this page open to be a Snowflake proxy")
 
 Snowflake does not increase your privacy in any way, nor is it used to connect to the Tor network within your personal browser. However, if your internet connection is uncensored, you should consider running it to help people in censored networks achieve better privacy themselves. There is no need to worry about which websites people are accessing through your proxy—their visible browsing IP address will match their Tor exit node, not yours.
 

docs/calendar-contacts.en.md

@@ -8,6 +8,24 @@ Calendaring and contacts are some of the most sensitive data posess. Use only pr
 
 These products are included with an subscription with their respective [email providers](email.md).
 
+### Proton Calendar
+
+!!! recommendation
+
+    ![Proton Calendar logo](assets/img/calendar-contacts/proton-calendar.svg){ align=right }
+
+    **Proton Calendar** is an encrypted calendar serivce available to Proton Mail members. Features include: automatic E2EE of all data, sharing features, import/export functionality, and [more](https://proton.me/support/proton-calendar-guide). Those on the free tier get access to a single calendar, whereas paid subscribers can create up to 20 calendars. Extended sharing functionality is also limited to paid subscribers. Proton Calendar is currently only available for the web and Android.
+
+    [:octicons-home-16: Homepage](https://proton.me/calendar){ .md-button .md-button--primary }
+    [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" }
+    [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=Documentation}
+    [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" }
+
+    ??? downloads
+
+        - [:octicons-browser-16: Web](https://calendar.proton.me)
+        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar)
+
 ### Tutanota
 
 !!! recommendation
@@ -25,37 +43,39 @@ These products are included with an subscription with their respective [email pr
 
     ??? downloads
 
-        [:octicons-browser-16:](https://mail.tutanota.com/){ .card-link title=Web }
-        [:fontawesome-brands-windows:](https://tutanota.com/blog/posts/desktop-clients/){ .card-link title=Windows }
-        [:fontawesome-brands-apple:](https://tutanota.com/blog/posts/desktop-clients/){ .card-link title=macOS }
-        [:fontawesome-brands-linux:](https://tutanota.com/blog/posts/desktop-clients/){ .card-link title=Linux }
-        [:pg-flathub:](https://flathub.org/apps/details/com.tutanota.Tutanota){ .card-link title=Flatpak }
-        [:fontawesome-brands-google-play:](https://play.google.com/store/apps/details?id=de.tutao.tutanota){ .card-link title="Google Play" }
-        [:pg-f-droid:](https://f-droid.org/en/packages/de.tutao.tutanota){ .card-link title=F-Droid }
-        [:fontawesome-brands-app-store-ios:](https://apps.apple.com/us/app/tutanota/id922429609){ .card-link title="App Store" }
-
-### Proton Calendar
-
-!!! recommendation
-
-    ![Proton Calendar logo](assets/img/calendar-contacts/proton-calendar.svg){ align=right }
-
-    **Proton Calendar** is an encrypted calendar serivce available to Proton Mail members. Features include: automatic E2EE of all data, sharing features, import/export functionality, and [more](https://proton.me/support/proton-calendar-guide). Those on the free tier get access to a single calendar, whereas paid subscribers can create up to 20 calendars. Extended sharing functionality is also limited to paid subscribers. Proton Calendar is currently only available for the web and Android.
-
-    [:octicons-home-16: Homepage](https://proton.me/calendar){ .md-button .md-button--primary }
-    [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" }
-    [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=Documentation}
-    [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" }
-
-    ??? downloads
-
-        [:octicons-browser-16:](https://calendar.proton.me){ .card-link title=Web }
-        [:fontawesome-brands-google-play:](https://play.google.com/store/apps/details?id=me.proton.android.calendar){ .card-link title="Google Play" }
+        - [:octicons-browser-16: Web](https://mail.tutanota.com/)
+        - [:fontawesome-brands-windows: Windows](https://tutanota.com/blog/posts/desktop-clients/)
+        - [:fontawesome-brands-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/)
+        - [:fontawesome-brands-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/)
+        - [:pg-flathub: Flatpak](https://flathub.org/apps/details/com.tutanota.Tutanota)
+        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota)
+        - [:pg-f-droid: F-Droid](https://f-droid.org/en/packages/de.tutao.tutanota)
+        - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/tutanota/id922429609)
 
 ## Self-hostable
 
 Some of these options are self-hostable, but could be offered by third party SaaS providers for a fee:
 
+### DecSync CC
+
+!!! recommendation
+
+    ![DecSync logo](assets/img/calendar-contacts/decsync.svg){ align=right }
+
+    **DecSync CC** synchronizes contacts, calendars and tasks using DecSync. It stores this data in a shared directory, using [Syncthing](file-sharing.md#syncthing), or any other file synchronization service.
+
+    There are [plugins](https://github.com/39aldo39/DecSync#rss) to sync other types of data such as [RSS](news-aggregators.md).
+
+    [:octicons-repo-16: Repository](https://github.com/39aldo39/DecSync){ .md-button .md-button--primary }
+    [:octicons-info-16:](https://github.com/39aldo39/DecSync/blob/master/design.md){ .card-link title=Documentation}
+    [:octicons-code-16:](https://github.com/39aldo39/DecSync){ .card-link title="Source Code" }
+    [:octicons-heart-16:](https://github.com/39aldo39/DecSync#donations){ .card-link title=Contribute }
+
+    ??? downloads
+
+        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=org.decsync.cc)
+        - [:pg-f-droid: F-Droid](https://f-droid.org/packages/org.decsync.cc)
+
 ### EteSync
 
 !!! recommendation
@@ -74,10 +94,10 @@ Some of these options are self-hostable, but could be offered by third party Saa
 
     ??? downloads
 
-        [:octicons-device-desktop-16:](https://github.com/etesync/etesync-dav/blob/master/README.md#specific-client-notes-and-instructions){ .card-link title="Client Setup" }
-        [:fontawesome-brands-google-play:](https://play.google.com/store/apps/details?id=com.etesync.syncadapter){ .card-link title="Google Play" }
-        [:pg-f-droid:](https://f-droid.org/app/com.etesync.syncadapter){ .card-link title=F-Droid }
-        [:fontawesome-brands-app-store-ios:](https://apps.apple.com/us/app/apple-store/id1489574285){ .card-link title="App Store" }
+        - [:octicons-device-desktop-16: Client Setup](https://github.com/etesync/etesync-dav/blob/master/README.md#specific-client-notes-and-instructions)
+        - [:fontawesome-brands-google-play: Google PLay](https://play.google.com/store/apps/details?id=com.etesync.syncadapter)
+        - [:pg-f-droid: F-Droid](https://f-droid.org/app/com.etesync.syncadapter)
+        - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/apple-store/id1489574285)
 
 ### Nextcloud
 
@@ -97,32 +117,12 @@ Some of these options are self-hostable, but could be offered by third party Saa
 
     ??? downloads
 
-        [:fontawesome-brands-windows:](https://nextcloud.com/install/#install-clients){ .card-link title=Windows }
-        [:fontawesome-brands-apple:](https://nextcloud.com/install/#install-clients){ .card-link title=macOS }
-        [:fontawesome-brands-linux:](https://nextcloud.com/install/#install-clients){ .card-link title=Linux }
-        [:pg-flathub:](https://flathub.org/apps/details/com.nextcloud.desktopclient.nextcloud){ .card-link title=Flatpak }
-        [:fontawesome-brands-google-play:](https://play.google.com/store/apps/details?id=com.nextcloud.client){ .card-link title="Google Play" }
-        [:pg-f-droid:](https://f-droid.org/packages/com.nextcloud.client){ .card-link title=F-Droid }
-        [:fontawesome-brands-app-store-ios:](https://apps.apple.com/us/app/nextcloud/id1125420102){ .card-link title="App Store" }
-
-### DecSync CC
-
-!!! recommendation
-
-    ![DecSync logo](assets/img/calendar-contacts/decsync.svg){ align=right }
-
-    **DecSync CC** synchronizes contacts, calendars and tasks using DecSync. It stores this data in a shared directory, using [Syncthing](file-sharing/#syncthing), or any other file synchronization service.
-
-    There are [plugins](https://github.com/39aldo39/DecSync#rss) to sync other types of data such as [RSS](news-aggregators.md).
-
-    [:octicons-repo-16: Repository](https://github.com/39aldo39/DecSync){ .md-button .md-button--primary }
-    [:octicons-info-16:](https://github.com/39aldo39/DecSync/blob/master/design.md){ .card-link title=Documentation}
-    [:octicons-code-16:](https://github.com/39aldo39/DecSync){ .card-link title="Source Code" }
-    [:octicons-heart-16:](https://github.com/39aldo39/DecSync#donations){ .card-link title=Contribute }
-
-    ??? downloads
-
-        [:fontawesome-brands-google-play:](https://play.google.com/store/apps/details?id=org.decsync.cc){ .card-link title="Google Play" }
-        [:pg-f-droid:](https://f-droid.org/packages/org.decsync.cc){ .card-link title=F-Droid }
+        - [:fontawesome-brands-windows: Windows](https://nextcloud.com/install/#install-clients)
+        - [:fontawesome-brands-apple: macOS](https://nextcloud.com/install/#install-clients)
+        - [:fontawesome-brands-linux: Linux](https://nextcloud.com/install/#install-clients)
+        - [:pg-flathub: Flatpak](https://flathub.org/apps/details/com.nextcloud.desktopclient.nextcloud)
+        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client)
+        - [:pg-f-droid: F-Droid](https://f-droid.org/packages/com.nextcloud.client)
+        - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/nextcloud/id1125420102)
 
 --8<-- "includes/abbreviations.en.md"

docs/cloud.en.md

@@ -6,6 +6,20 @@ Many cloud storage providers require your full trust that they will not look at
 
 If these alternatives do not fit your needs, we suggest you look into [Encryption Software](encryption.md).
 
+## Cryptee
+
+!!! recommendation
+
+    ![Cryptee logo](./assets/img/cloud/cryptee.svg#only-light){ align=right }
+    ![Cryptee logo](./assets/img/cloud/cryptee-dark.svg#only-dark){ align=right }
+
+    **Cryptee** is a web-based, encrypted, secure photo storage service and documents editor.
+
+    [:octicons-home-16: Homepage](https://crypt.ee){ .md-button .md-button--primary }
+    [:octicons-eye-16:](https://crypt.ee/privacy){ .card-link title="Privacy Policy" }
+    [:octicons-info-16:](https://crypt.ee/help){ .card-link title=Documentation}
+    [:octicons-code-16:](https://github.com/cryptee){ .card-link title="Source Code" }
+
 ## Nextcloud
 
 !!! recommendation
@@ -22,15 +36,15 @@ If these alternatives do not fit your needs, we suggest you look into [Encryptio
 
     ??? downloads
 
-        [:fontawesome-brands-windows:](https://nextcloud.com/install/#install-clients){ .card-link title=Windows }
-        [:fontawesome-brands-apple:](https://nextcloud.com/install/#install-clients){ .card-link title=macOS }
-        [:fontawesome-brands-linux:](https://nextcloud.com/install/#install-clients){ .card-link title=Linux }
-        [:fontawesome-brands-freebsd:](https://www.freshports.org/www/nextcloud){ .card-link title=FreeBSD }
-        [:pg-openbsd:](https://openports.se/www/nextcloud){ .card-link title=OpenBSD }
-        [:pg-netbsd:](https://pkgsrc.se/www/php-nextcloud){ .card-link title=NetBSD }
-        [:fontawesome-brands-google-play:](https://play.google.com/store/apps/details?id=com.nextcloud.client){ .card-link title="Google Play" }
-        [:pg-f-droid:](https://f-droid.org/packages/com.nextcloud.client){ .card-link title=F-Droid }
-        [:fontawesome-brands-app-store-ios:](https://apps.apple.com/app/id1125420102){ .card-link title=App Store }
+        - [:fontawesome-brands-windows: Windows](https://nextcloud.com/install/#install-clients)
+        - [:fontawesome-brands-apple: macOS](https://nextcloud.com/install/#install-clients)
+        - [:fontawesome-brands-linux: Linux](https://nextcloud.com/install/#install-clients)
+        - [:fontawesome-brands-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud)
+        - [:pg-openbsd: OpenBSD](https://openports.se/www/nextcloud)
+        - [:pg-netbsd: NetBSD](https://pkgsrc.se/www/php-nextcloud)
+        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client)
+        - [:pg-f-droid: F-Droid](https://f-droid.org/packages/com.nextcloud.client)
+        - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/app/id1125420102)
 
 We recommend checking if your Nextcloud provider supports E2EE, otherwise you have to trust the provider to not look at your files.
 
@@ -53,27 +67,12 @@ Proton Drive is currently in beta and only is only available through a web clien
 
 When using a web client, you are placing trust in the server to send you proper JavaScript code to derive the decryption key and authentication token locally in your browser. A compromised server can send you malicious JavaScript code to steal your master password and decrypt your data. If this does not fit your [threat model](basics/threat-modeling.md), consider using an alternative.
 
-## Cryptee
-
-!!! recommendation
-
-    ![Cryptee logo](./assets/img/cloud/cryptee.svg#only-light){ align=right }
-    ![Cryptee logo](./assets/img/cloud/cryptee-dark.svg#only-dark){ align=right }
-
-    **Cryptee** is a web-based, encrypted, secure photo storage service and documents editor.
-
-    [:octicons-home-16: Homepage](https://crypt.ee){ .md-button .md-button--primary }
-    [:octicons-eye-16:](https://crypt.ee/privacy){ .card-link title="Privacy Policy" }
-    [:octicons-info-16:](https://crypt.ee/help){ .card-link title=Documentation}
-    [:octicons-code-16:](https://github.com/cryptee){ .card-link title="Source Code" }
-
 ## Tahoe-LAFS
 
 !!! note
 
     Due to the complexity of the system and the amount of nodes needed to set it up, Tahoe-LAFS is only recommended for seasoned system administrators.
 
-
 !!! recommendation
 
     ![Tahoe-LAFS logo](./assets/img/cloud/tahoe-lafs.svg#only-light){ align=right }
@@ -88,9 +87,9 @@ When using a web client, you are placing trust in the server to send you proper
 
     ??? downloads
 
-        [:fontawesome-brands-windows:](https://tahoe-lafs.readthedocs.io/en/latest/Installation/install-tahoe.html#microsoft-windows){ .card-link title=Windows }
-        [:fontawesome-brands-apple:](https://tahoe-lafs.readthedocs.io/en/latest/Installation/install-tahoe.html#linux-bsd-or-macos){ .card-link title=macOS }
-        [:fontawesome-brands-linux:](https://tahoe-lafs.readthedocs.io/en/latest/Installation/install-tahoe.html#linux-bsd-or-macos){ .card-link title=Linux }
-        [:pg-netbsd:](https://tahoe-lafs.readthedocs.io/en/latest/Installation/install-tahoe.html#linux-bsd-or-macos){ .card-link title=NetBSD }
+        - [:fontawesome-brands-windows: Windows](https://tahoe-lafs.readthedocs.io/en/latest/Installation/install-tahoe.html#microsoft-windows)
+        - [:fontawesome-brands-apple: macOS](https://tahoe-lafs.readthedocs.io/en/latest/Installation/install-tahoe.html#linux-bsd-or-macos)
+        - [:fontawesome-brands-linux: Linux](https://tahoe-lafs.readthedocs.io/en/latest/Installation/install-tahoe.html#linux-bsd-or-macos)
+        - [:pg-netbsd: NetBSD](https://tahoe-lafs.readthedocs.io/en/latest/Installation/install-tahoe.html#linux-bsd-or-macos)
 
 --8<-- "includes/abbreviations.en.md"

docs/dns.en.md

@@ -7,7 +7,7 @@ icon: material/dns
 
     Encrypted DNS with third party servers should only be used to get around basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences. Encrypted DNS will not help you hide any of your browsing activity.
 
-    [Learn more about DNS](basics/dns.md){ .md-button }
+    [Learn more about DNS](basics/dns-overview.md){ .md-button }
 
 ## Recommended Providers
 
@@ -27,10 +27,10 @@ icon: material/dns
 
 The criteria for the servers listed above are:
 
-- Must support [DNSSEC](basics/dns.md#what-is-dnssec)
+- Must support [DNSSEC](basics/dns-overview.md#what-is-dnssec)
 - Must have [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) support
-- [QNAME Minimization](basics/dns.md#what-is-qname-minimization)
-- Allow for [ECS](basics/dns.md#what-is-edns-client-subnet-ecs) to be disabled
+- [QNAME Minimization](basics/dns-overview.md#what-is-qname-minimization)
+- Allow for [ECS](basics/dns-overview.md#what-is-edns-client-subnet-ecs) to be disabled
 
 ## Native Operating System Support
 
@@ -72,7 +72,7 @@ Select **Settings** → **Network & Internet** → **Ethernet or WiFi**, &
 
 ## Encrypted DNS Proxies
 
-Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](basics/dns.md#unencrypted-dns) resolver to forward to. Typically it is used on platforms that don't natively support [encrypted DNS](basics/dns.md#what-is-encrypted-dns).
+Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](basics/dns-overview.md#unencrypted-dns) resolver to forward to. Typically it is used on platforms that don't natively support [encrypted DNS](basics/dns-overview.md#what-is-encrypted-dns).
 
 ### RethinkDNS
 
@@ -81,7 +81,7 @@ Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](ba
     ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ align=right }
     ![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ align=right }
 
-    **RethinkDNS** is an open-source Android client supporting [DNS-over-HTTPS](basics/dns.md#dns-over-https-doh), [DNS-over-TLS](basics/dns.md#dns-over-tls-dot), [DNSCrypt](basics/dns.md#dnscrypt) and DNS Proxy along with caching DNS responses, locally logging DNS queries and can be used as a firewall too.
+    **RethinkDNS** is an open-source Android client supporting [DNS-over-HTTPS](basics/dns-overview.md#dns-over-https-doh), [DNS-over-TLS](basics/dns-overview.md#dns-over-tls-dot), [DNSCrypt](basics/dns-overview.md#dnscrypt) and DNS Proxy along with caching DNS responses, locally logging DNS queries and can be used as a firewall too.
 
     [:octicons-home-16: Homepage](https://rethinkdns.com){ .md-button .md-button--primary }
     [:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="Privacy Policy" }
@@ -90,8 +90,8 @@ Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](ba
 
     ??? downloads
 
-        [:fontawesome-brands-google-play:](https://play.google.com/store/apps/details?id=com.celzero.bravedns){ .card-link title="Google Play" }
-        [:pg-f-droid:](https://f-droid.org/packages/com.celzero.bravedns){ .card-link title=F-Droid }
+        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns)
+        - [:pg-f-droid: F-Droid](https://f-droid.org/packages/com.celzero.bravedns)
 
 ### DNSCloak
 
@@ -99,7 +99,7 @@ Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](ba
 
     ![DNSCloak logo](assets/img/ios/dnscloak.png){ align=right }
 
-    **DNSCloak** is an open-source iOS client supporting [DNS-over-HTTPS](basics/dns.md#dns-over-https-doh), [DNSCrypt](basics/dns.md#dnscrypt), and [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy/wiki) options such as caching DNS responses, locally logging DNS queries, and custom block lists. You can [add custom resolvers by DNS stamp](https://medium.com/privacyguides/adding-custom-dns-over-https-resolvers-to-dnscloak-20ff5845f4b5).
+    **DNSCloak** is an open-source iOS client supporting [DNS-over-HTTPS](basics/dns-overview.md#dns-over-https-doh), [DNSCrypt](basics/dns-overview.md#dnscrypt), and [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy/wiki) options such as caching DNS responses, locally logging DNS queries, and custom block lists. You can [add custom resolvers by DNS stamp](https://medium.com/privacyguides/adding-custom-dns-over-https-resolvers-to-dnscloak-20ff5845f4b5).
 
     [:octicons-repo-16: Repository](https://github.com/s-s/dnscloak){ .md-button .md-button--primary }
     [:octicons-eye-16:](https://drive.google.com/file/d/1050No_pU74CAWUS5-BwQWyO2x_aiMzWc/view){ .card-link title="Privacy Policy" }
@@ -107,7 +107,7 @@ Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](ba
 
     ??? downloads
 
-        [:fontawesome-brands-app-store-ios:](https://apps.apple.com/app/id1452162351){ .card-link title="App Store" }
+        - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/app/id1452162351)
 
 ### dnscrypt-proxy
 
@@ -115,9 +115,9 @@ Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](ba
 
     ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ align=right }
 
-    **dnscrypt-proxy** is a DNS proxy with support for [DNSCrypt](basics/dns.md#dnscrypt), [DNS-over-HTTPS](basics/dns.md#dns-over-https-doh), and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS).
+    **dnscrypt-proxy** is a DNS proxy with support for [DNSCrypt](basics/dns-overview.md#dnscrypt), [DNS-over-HTTPS](basics/dns-overview.md#dns-over-https-doh), and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS).
 
-    !!! warning "The anonymized DNS feature does [**not**](basics/dns.md#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic."
+    !!! warning "The anonymized DNS feature does [**not**](basics/dns-overview.md#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic."
 
     [:octicons-repo-16: Repository](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary }
     [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=Documentation}
@@ -126,9 +126,9 @@ Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](ba
 
     ??? downloads
 
-        [:fontawesome-brands-windows:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows){ .card-link title=Windows }
-        [:fontawesome-brands-apple:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS){ .card-link title=macOS }
-        [:fontawesome-brands-linux:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux){ .card-link title=Linux }
+        - [:fontawesome-brands-windows: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows)
+        - [:fontawesome-brands-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS)
+        - [:fontawesome-brands-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux)
 
 ## Self-hosted Solutions
 

docs/email-clients.en.md

@@ -2,7 +2,7 @@
 title: "Email Clients"
 icon: material/email-open
 ---
-Our recommendation list contains email clients that support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](multi-factor-authentication) and prevent account theft.
+Our recommendation list contains email clients that support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) and prevent account theft.
 
 ??? Attention "Email does not provide forward secrecy"
     When using end-to-end encryption (E2EE) technology like OpenPGP, email will still have [some metadata](email.md#email-metadata-overview) that is not encrypted in the header of the email.
@@ -11,7 +11,9 @@ Our recommendation list contains email clients that support both [OpenPGP](encry
 
     [Real-time Communication](real-time-communication.md){ .md-button }
 
-## Thunderbird
+## Cross-Platform
+
+### Thunderbird
 
 !!! recommendation
 
@@ -26,16 +28,14 @@ Our recommendation list contains email clients that support both [OpenPGP](encry
 
     ??? downloads
 
-        [:fontawesome-brands-windows:](https://www.thunderbird.net){ .card-link title=Windows }
-        [:fontawesome-brands-apple:](https://www.thunderbird.net){ .card-link title=macOS }
-        [:fontawesome-brands-linux:](https://www.thunderbird.net){ .card-link title=Linux }
-        [:pg-flathub:](https://flathub.org/apps/details/org.mozilla.Thunderbird){ .card-link title=Flatpak }
+        - [:fontawesome-brands-windows: Windows](https://www.thunderbird.net)
+        - [:fontawesome-brands-apple: macOS](https://www.thunderbird.net)
+        - [:fontawesome-brands-linux: Linux](https://www.thunderbird.net)
+        - [:pg-flathub: Flatpak](https://flathub.org/apps/details/org.mozilla.Thunderbird)
 
-## Apple Mail
+## Platform Specific
 
-!!! note
-
-    For iOS devices we suggest [Canary Mail](#canary-mail) as it has PGP support which means you can send end-to-end encrypted email.
+### Apple Mail (macOS)
 
 !!! recommendation
 
@@ -47,83 +47,32 @@ Our recommendation list contains email clients that support both [OpenPGP](encry
     [:octicons-eye-16:](https://www.apple.com/legal/privacy/en-ww/){ .card-link title="Privacy Policy" }
     [:octicons-info-16:](https://support.apple.com/guide/mail/toc){ .card-link title=Documentation}
 
-## GNOME Evolution
+### Canary Mail (iOS)
 
 !!! recommendation
 
-    ![Evolution logo](assets/img/email-clients/evolution.svg){ align=right }
+    ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ align=right }
 
-    **Evolution** is a personal information management application that provides integrated mail, calendaring and address book functionality. Evolution has extensive [documentation](https://help.gnome.org/users/evolution/stable/) to help you get started.
+    **Canary Mail** is a paid email client designed to make end-to-end encryption seamless with security features such as a biometric app lock.
 
-    [:octicons-home-16: Homepage](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary }
-    [:octicons-eye-16:](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .card-link title="Privacy Policy" }
-    [:octicons-info-16:](https://help.gnome.org/users/evolution/stable/){ .card-link title=Documentation}
-    [:octicons-code-16:](https://gitlab.gnome.org/GNOME/evolution/){ .card-link title="Source Code" }
-    [:octicons-heart-16:](https://www.gnome.org/donate/){ .card-link title=Contribute }
+    [:octicons-home-16: Homepage](https://canarymail.io){ .md-button .md-button--primary }
+    [:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="Privacy Policy" }
+    [:octicons-info-16:](https://canarymail.zendesk.com/){ .card-link title=Documentation}
 
     ??? downloads
 
-        [:pg-flathub:](https://flathub.org/apps/details/org.gnome.Evolution){ .card-link title=Flatpak }
+        - [:fontawesome-brands-app-store: Mac App Store](https://apps.apple.com/app/id1236045954)
+        - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/app/id1236045954)
+        - [:fontawesome-brands-windows: Windows](https://canarymail.io/downloads.html)
+        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android)
 
-## Kontact
+!!! attention
 
-!!! recommendation
+    Canary Mail only recently released a Windows and Android client, though we don't believe they are as stable as their iOS and Mac counterparts.
 
-    ![Kontact logo](assets/img/email-clients/kontact.svg){ align=right }
+Canary Mail is closed source. We recommend it due to the few choices there are for email clients on iOS that support PGP E2EE.
 
-    **Kontact** is a personal information manager (PIM) application from the [KDE](https://kde.org) project. It provides a mail client, address book, organizer and RSS client.
-
-    [:octicons-home-16: Homepage](https://kontact.kde.org){ .md-button .md-button--primary }
-    [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" }
-    [:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=Documentation}
-    [:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="Source Code" }
-    [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute }
-
-    ??? downloads
-
-        [:fontawesome-brands-linux:](https://kontact.kde.org/download){ .card-link title=Linux }
-        [:pg-flathub:](https://flathub.org/apps/details/org.kde.kontact){ .card-link title=Flatpak }
-
-## Mailvelope
-
-!!! recommendation
-
-    ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ align=right }
-
-    **Mailvelope** is a browser extension that enables the exchange of encrypted emails following the OpenPGP encryption standard.
-
-    [:octicons-home-16: Homepage](https://www.mailvelope.com){ .md-button .md-button--primary }
-    [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Privacy Policy" }
-    [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Documentation}
-    [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Source Code" }
-
-    ??? downloads
-
-        [:fontawesome-brands-firefox:](https://addons.mozilla.org/firefox/addon/mailvelope){ .card-link title=Firefox }
-        [:fontawesome-brands-chrome:](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke){ .card-link title=Chrome }
-        [:fontawesome-brands-edge:](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc){ .card-link title=Edge }
-
-## K-9 Mail
-
-!!! recommendation
-
-    ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ align=right }
-
-    **K-9 Mail** is an independent mail application that supports both POP3 and IMAP mailboxes, but only supports push mail for IMAP.
-
-    [:octicons-home-16: Homepage](https://k9mail.app){ .md-button .md-button--primary }
-    [:octicons-eye-16:](https://k9mail.app/privacy){ .card-link title="Privacy Policy" }
-    [:octicons-info-16:](https://docs.k9mail.app/){ .card-link title=Documentation}
-    [:octicons-code-16:](https://github.com/k9mail/k-9){ .card-link title="Source Code" }
-    [:octicons-heart-16:](https://k9mail.app/contribute){ .card-link title=Contribute }
-
-    ??? downloads
-
-        [:fontawesome-brands-google-play:](https://play.google.com/store/apps/details?id=com.fsck.k9){ .card-link title="Google Play" }
-        [:pg-f-droid:](https://f-droid.org/packages/com.fsck.k9){ .card-link title=F-Droid }
-        [:fontawesome-brands-github:](https://github.com/k9mail/k-9/releases){ .card-link title=GitHub }
-
-## FairEmail
+### FairEmail (Android)
 
 !!! recommendation
 
@@ -139,35 +88,86 @@ Our recommendation list contains email clients that support both [OpenPGP](encry
 
     ??? downloads
 
-        [:fontawesome-brands-google-play:](https://play.google.com/store/apps/details?id=eu.faircode.email){ .card-link title="Google Play" }
-        [:pg-f-droid:](https://f-droid.org/packages/eu.faircode.email/){ .card-link title=F-Droid }
+        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email)
+        - [:pg-f-droid: F-Droid](https://f-droid.org/packages/eu.faircode.email/)
 
-## Canary Mail
+### GNOME Evolution (GNOME)
 
 !!! recommendation
 
-    ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ align=right }
+    ![Evolution logo](assets/img/email-clients/evolution.svg){ align=right }
 
-    **Canary Mail** is a paid email client designed to make end-to-end encryption seamless with security features such as a biometric app lock.
+    **Evolution** is a personal information management application that provides integrated mail, calendaring and address book functionality. Evolution has extensive [documentation](https://help.gnome.org/users/evolution/stable/) to help you get started.
 
-    [:octicons-home-16: Homepage](https://canarymail.io){ .md-button .md-button--primary }
-    [:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="Privacy Policy" }
-    [:octicons-info-16:](https://canarymail.zendesk.com/){ .card-link title=Documentation}
+    [:octicons-home-16: Homepage](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary }
+    [:octicons-eye-16:](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .card-link title="Privacy Policy" }
+    [:octicons-info-16:](https://help.gnome.org/users/evolution/stable/){ .card-link title=Documentation}
+    [:octicons-code-16:](https://gitlab.gnome.org/GNOME/evolution/){ .card-link title="Source Code" }
+    [:octicons-heart-16:](https://www.gnome.org/donate/){ .card-link title=Contribute }
 
     ??? downloads
 
-        [:fontawesome-brands-app-store:](https://apps.apple.com/app/id1236045954){ .card-link title="Mac App Store" }
-        [:fontawesome-brands-app-store-ios:](https://apps.apple.com/app/id1236045954){ .card-link title="App Store" }
-        [:fontawesome-brands-windows:](https://canarymail.io/downloads.html){ .card-link title=Windows }
-        [:fontawesome-brands-google-play:](https://play.google.com/store/apps/details?id=io.canarymail.android){ .card-link title="Google Play" }
+        - [:pg-flathub: Flatpak](https://flathub.org/apps/details/org.gnome.Evolution)
 
-!!! attention
+### K-9 Mail (Android)
 
-    Canary Mail only recently released a Windows and Android client, though we don't believe they are as stable as their iOS and Mac counterparts.
+!!! recommendation
 
-Canary Mail is closed source. We recommend it due to the few choices there are for email clients on iOS that support PGP E2EE.
+    ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ align=right }
 
-## NeoMutt
+    **K-9 Mail** is an independent mail application that supports both POP3 and IMAP mailboxes, but only supports push mail for IMAP.
+
+    [:octicons-home-16: Homepage](https://k9mail.app){ .md-button .md-button--primary }
+    [:octicons-eye-16:](https://k9mail.app/privacy){ .card-link title="Privacy Policy" }
+    [:octicons-info-16:](https://docs.k9mail.app/){ .card-link title=Documentation}
+    [:octicons-code-16:](https://github.com/k9mail/k-9){ .card-link title="Source Code" }
+    [:octicons-heart-16:](https://k9mail.app/contribute){ .card-link title=Contribute }
+
+    ??? downloads
+
+        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9)
+        - [:pg-f-droid: F-Droid](https://f-droid.org/packages/com.fsck.k9)
+        - [:fontawesome-brands-github: GitHub](https://github.com/k9mail/k-9/releases)
+
+### Kontact (KDE)
+
+!!! recommendation
+
+    ![Kontact logo](assets/img/email-clients/kontact.svg){ align=right }
+
+    **Kontact** is a personal information manager (PIM) application from the [KDE](https://kde.org) project. It provides a mail client, address book, organizer and RSS client.
+
+    [:octicons-home-16: Homepage](https://kontact.kde.org){ .md-button .md-button--primary }
+    [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" }
+    [:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=Documentation}
+    [:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="Source Code" }
+    [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute }
+
+    ??? downloads
+
+        - [:fontawesome-brands-linux: Linux](https://kontact.kde.org/download)
+        - [:pg-flathub: Flatpak](https://flathub.org/apps/details/org.kde.kontact)
+
+### Mailvelope (Browser)
+
+!!! recommendation
+
+    ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ align=right }
+
+    **Mailvelope** is a browser extension that enables the exchange of encrypted emails following the OpenPGP encryption standard.
+
+    [:octicons-home-16: Homepage](https://www.mailvelope.com){ .md-button .md-button--primary }
+    [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Privacy Policy" }
+    [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Documentation}
+    [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Source Code" }
+
+    ??? downloads
+
+        - [:fontawesome-brands-firefox: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope)
+        - [:fontawesome-brands-chrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke)
+        - [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc)
+
+### NeoMutt (CLI)
 
 !!! recommendation
 
@@ -184,7 +184,7 @@ Canary Mail is closed source. We recommend it due to the few choices there are f
 
     ??? downloads
 
-        [:fontawesome-brands-linux:](https://neomutt.org/distro){ .card-link title=Linux }
-        [:fontawesome-brands-apple:](https://neomutt.org/distro){ .card-link title=macOS }
+        - [:fontawesome-brands-linux: Linux](https://neomutt.org/distro)
+        - [:fontawesome-brands-apple: macOS](https://neomutt.org/distro)
 
 --8<-- "includes/abbreviations.en.md"

docs/email.en.md

@@ -16,6 +16,50 @@ For everything else, we recommend a variety of email providers based on sustaina
 
 ## Recommended Email Providers
 
+### Mailbox.org
+
+!!! recommendation
+
+    ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right }
+
+    **Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with 2 GB of storage, which can be upgraded as needed.
+
+    **EUR €12/year**
+
+    [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary }
+    [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" }
+    [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=Documentation}
+
+??? check "Custom Domains and Aliases"
+
+    Mailbox.org lets you use your own domain, and they support [catch-all](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain) addresses. Mailbox.org also supports [subaddressing](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), which is useful if you don't want to purchase a domain.
+
+??? info "Private Payment Methods"
+
+    Mailbox.org doesn't accept Bitcoin or any other cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept Cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and couple of German-specific processors: paydirekt and Sofortüberweisung.
+
+??? check "Account Security"
+
+    Mailbox.org supports [two factor authentication](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) for their webmail only. You can use either TOTP or a [Yubikey](https://en.wikipedia.org/wiki/YubiKey) via the [Yubicloud](https://www.yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported.
+
+??? info "Data Security"
+
+    Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox). New messages that you receive will then be immediately encrypted with your public key.
+
+    However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) the encryption of your address book and calendar. A [standalone option](calendar-contacts.md) may be more appropriate for that information.
+
+??? check "Email Encryption"
+
+    Mailbox.org has [integrated encryption](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP) on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox.
+
+    Mailbox.org also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily, for cross-provider E2EE.
+
+??? info "Additional Functionality"
+
+    You can access your Mailbox.org account via IMAP/SMTP using their [.onion service](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org). However, their webmail interface cannot be accessed via their .onion service, and you may experience TLS certificate errors.
+
+    All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3.
+
 ### Proton Mail
 
 !!! recommendation
@@ -64,49 +108,46 @@ For everything else, we recommend a variety of email providers based on sustaina
 
     Proton Mail offers an "Unlimited" account for €9.99/Month, which also enables access to Proton VPN in addition to providing multiple accounts, domains, aliases, and 500GB of storage.
 
-### Mailbox.org
+### StartMail
 
 !!! recommendation
 
-    ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right }
+    ![StartMail logo](assets/img/email/startmail.svg#only-light){ align=right }
+    ![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ align=right }
 
-    **Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with 2 GB of storage, which can be upgraded as needed.
+    **StartMail** is an email service with a focus on security and privacy through the use of standard OpenPGP encryption. StartMail has been in operation since 2014 and is based in Boulevard 11, Zeist Netherlands. Accounts start with 10GB. They offer a 30-day trial.
 
-    **EUR €12/year**
+    **USD $59.95/year**
 
-    [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary }
-    [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" }
-    [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=Documentation}
+    [:octicons-home-16: Homepage](https://www.startmail.com/){ .md-button .md-button--primary }
+    [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="Privacy Policy" }
+    [:octicons-info-16:](https://support.startmail.com){ .card-link title=Documentation}
 
 ??? check "Custom Domains and Aliases"
 
-    Mailbox.org lets you use your own domain, and they support [catch-all](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain) addresses. Mailbox.org also supports [subaddressing](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), which is useful if you don't want to purchase a domain.
+    Personal accounts can use [Custom or Quick](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases) aliases. [Custom domains](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain) are also available.
 
-??? info "Private Payment Methods"
+??? warning "Private Payment Methods"
 
-    Mailbox.org doesn't accept Bitcoin or any other cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept Cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and couple of German-specific processors: paydirekt and Sofortüberweisung.
+    StartMail accepts Visa, MasterCard, American Express and Paypal. StartMail also has other [payment options](https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods) such as Bitcoin (currently only for Personal accounts) and SEPA Direct Debit for accounts older than a year.
 
 ??? check "Account Security"
 
-    Mailbox.org supports [two factor authentication](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) for their webmail only. You can use either TOTP or a [Yubikey](https://en.wikipedia.org/wiki/YubiKey) via the [Yubicloud](https://www.yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported.
+    StartMail supports TOTP two factor authentication [for webmail only](https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA). They do not allow U2F security key authentication.
 
 ??? info "Data Security"
 
-    Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox). New messages that you receive will then be immediately encrypted with your public key.
+    StartMail has [zero access encryption at rest](https://www.startmail.com/en/whitepaper/#_Toc458527835), using their "user vault" system. When you log in, the vault is opened, and the email is then moved to the vault out of the queue where it is decrypted by the corresponding private key.
 
-    However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) the encryption of your address book and calendar. A [standalone option](calendar-contacts.md) may be more appropriate for that information.
+    StartMail supports importing [contacts](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts) however, they are only accessible in the webmail and not through protocols such as [CalDAV](https://en.wikipedia.org/wiki/CalDAV). Contacts are also not stored using zero knowledge encryption, so a [standalone option](calendar-contacts.md) may be more appropriate.
 
 ??? check "Email Encryption"
 
-    Mailbox.org has [integrated encryption](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP) on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox.
-
-    Mailbox.org also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily, for cross-provider E2EE.
+    StartMail has [integrated encryption](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) in their webmail, which simplifies sending encrypted messages with public OpenPGP keys.
 
 ??? info "Additional Functionality"
 
-    You can access your Mailbox.org account via IMAP/SMTP using their [.onion service](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org). However, their webmail interface cannot be accessed via their .onion service, and you may experience TLS certificate errors.
-
-    All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3.
+    StartMail allows for proxying of images within emails. If you allow the remote image to be loaded, the sender won't know what your IP address is.
 
 ### Tutanota
 
@@ -159,47 +200,6 @@ Tutanota is working on a [desktop client](https://tutanota.com/blog/posts/deskto
 
     Tutanota also has a business feature called [Secure Connect](https://tutanota.com/secure-connect/). This ensures customer contact to the business uses E2EE. The feature costs €240/y.
 
-### StartMail
-
-!!! recommendation
-
-    ![StartMail logo](assets/img/email/startmail.svg#only-light){ align=right }
-    ![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ align=right }
-
-    **StartMail** is an email service with a focus on security and privacy through the use of standard OpenPGP encryption. StartMail has been in operation since 2014 and is based in Boulevard 11, Zeist Netherlands. Accounts start with 10GB. They offer a 30-day trial.
-
-    **USD $59.95/year**
-
-    [:octicons-home-16: Homepage](https://startmail.com/){ .md-button .md-button--primary }
-    [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="Privacy Policy" }
-    [:octicons-info-16:](https://support.startmail.com){ .card-link title=Documentation}
-
-??? check "Custom Domains and Aliases"
-
-    Personal accounts can use [Custom or Quick](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases) aliases. [Custom domains](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain) are also available.
-
-??? warning "Private Payment Methods"
-
-    StartMail accepts Visa, MasterCard, American Express and Paypal. StartMail also has other [payment options](https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods) such as Bitcoin (currently only for Personal accounts) and SEPA Direct Debit for accounts older than a year.
-
-??? check "Account Security"
-
-    StartMail supports TOTP two factor authentication [for webmail only](https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA). They do not allow U2F security key authentication.
-
-??? info "Data Security"
-
-    StartMail has [zero access encryption at rest](https://www.startmail.com/en/whitepaper/#_Toc458527835), using their "user vault" system. When you log in, the vault is opened, and the email is then moved to the vault out of the queue where it is decrypted by the corresponding private key.
-
-    StartMail supports importing [contacts](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts) however, they are only accessible in the webmail and not through protocols such as [CalDAV](https://en.wikipedia.org/wiki/CalDAV). Contacts are also not stored using zero knowledge encryption, so a [standalone option](calendar-contacts.md) may be more appropriate.
-
-??? check "Email Encryption"
-
-    StartMail has [integrated encryption](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) in their webmail, which simplifies sending encrypted messages with public OpenPGP keys.
-
-??? info "Additional Functionality"
-
-    StartMail allows for proxying of images within emails. If you allow the remote image to be loaded, the sender won't know what your IP address is.
-
 ## Email Aliasing Services
 
 An email aliasing service allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your email provider. True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like yourname+[anythinghere]@example.com, because websites, advertisers, and tracking networks can trivially remove anything after the + sign to know your true email address.
@@ -221,36 +221,6 @@ Our email aliasing recommendations are providers that allow you to create aliase
 
 Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption, which reduces the number of parties you need to trust from 2 to 1 by encrypting incoming emails before they are delivered to your final mailbox provider.
 
-### SimpleLogin
-
-!!! recommendation
-
-    ![Simplelogin logo](assets/img/email/simplelogin.svg){ align=right }
-
-    **[SimpleLogin](https://simplelogin.io)** is a free service which provides email aliases on a variety of shared domain names, and optionally provides features like unlimited aliases and custom domains for $30/year. [Source code on GitHub](https://github.com/simple-login/app).
-
-    [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary }
-    [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="Privacy Policy" }
-    [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=Documentation}
-    [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" }
-
-    ??? downloads
-        [:fontawesome-brands-firefox:](https://addons.mozilla.org/en-US/firefox/addon/simplelogin/){ .card-link title=Firefox }
-        [:fontawesome-brands-chrome:](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn){ .card-link title=Chrome }
-        [:fontawesome-brands-edge:](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff){ .card-link title=Edge }
-        [:fontawesome-brands-safari:](https://apps.apple.com/app/id1494051017){ .card-link title=Safari }
-        [:fontawesome-brands-app-store-ios:](https://apps.apple.com/app/id1494359858){ .card-link title="App Store" }
-        [:fontawesome-brands-google-play:](https://play.google.com/store/apps/details?id=io.simplelogin.android){ .card-link title="Google Play" }
-        [:pg-f-droid:](https://f-droid.org/en/packages/io.simplelogin.android.fdroid/){ .card-link title=F-Droid }
-
-SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing.
-
-Notable free features:
-
-- [x] 15 Shared Aliases
-- [x] Unlimited Replies
-- [x] 1 Recepient Mailbox
-
 ### AnonAddy
 
 !!! recommendation
@@ -266,10 +236,10 @@ Notable free features:
     [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=Contribute }
 
     ??? downloads
-        [:fontawesome-brands-firefox:](https://addons.mozilla.org/en-GB/firefox/addon/anonaddy/){ .card-link title=Firefox }
-        [:fontawesome-brands-chrome:](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe){ .card-link title=Chrome }
-        [:material-apple-ios:](https://anonaddy.com/faq/#is-there-an-ios-app){ .card-link title=iOS }
-        [:fontawesome-brands-android:](https://anonaddy.com/faq/#is-there-an-android-app){ .card-link title=Android }
+        - [:fontawesome-brands-firefox: Firefox](https://addons.mozilla.org/en-GB/firefox/addon/anonaddy/)
+        - [:fontawesome-brands-chrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe)
+        - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app)
+        - [:fontawesome-brands-android: Android](https://anonaddy.com/faq/#is-there-an-android-app)
 
 The number of shared aliases (which end in a shared domain like @anonaddy.me) that you can create is limited to 20 on AnonAddy's free plan and 50 on their $12/month plan. You can create unlimited standard aliases (which end in a domain like @[username].anonaddy.com or a custom domain on paid plans), however, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. Unlimited shared aliases are available for $36/year.
 
@@ -281,6 +251,36 @@ Notable free features:
 - [x] 2 Receipent Mailboxes
 - [x] Automatic PGP Encryption
 
+### SimpleLogin
+
+!!! recommendation
+
+    ![Simplelogin logo](assets/img/email/simplelogin.svg){ align=right }
+
+    **[SimpleLogin](https://simplelogin.io)** is a free service which provides email aliases on a variety of shared domain names, and optionally provides features like unlimited aliases and custom domains for $30/year. [Source code on GitHub](https://github.com/simple-login/app).
+
+    [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary }
+    [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="Privacy Policy" }
+    [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=Documentation}
+    [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" }
+
+    ??? downloads
+        - [:fontawesome-brands-firefox: Firefox](https://addons.mozilla.org/en-US/firefox/addon/simplelogin/)
+        - [:fontawesome-brands-chrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn)
+        - [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff)
+        - [:fontawesome-brands-safari: Safari](https://apps.apple.com/app/id1494051017)
+        - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/app/id1494359858)
+        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android)
+        - [:pg-f-droid: F-Droid](https://f-droid.org/en/packages/io.simplelogin.android.fdroid/)
+
+SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing.
+
+Notable free features:
+
+- [x] 15 Shared Aliases
+- [x] Unlimited Replies
+- [x] 1 Recepient Mailbox
+
 *[Automatic PGP Encryption]: Allows you to encrypt non-encrypted incoming emails before they are forwarded to your mailbox, making sure your primary mailbox provider never sees unencrypted email content.
 
 ## Self-Hosting Email
@@ -289,16 +289,6 @@ Advanced system administrators may consider setting up their own email server. M
 
 ### Combined software solutions
 
-!!! recommendation
-
-    ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ align=right }
-
-    **Mail-in-a-Box** is an automated setup script for deploying a mail server on Ubuntu. Its goal is to make it easier for people to set up their own mail server.
-
-    [:octicons-home-16: Homepage](https://mailinabox.email){ .md-button .md-button--primary }
-    [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=Documentation}
-    [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Source Code" }
-
 !!! recommendation
 
     ![Mailcow logo](assets/img/email/mailcow.svg){ align=right }
@@ -310,6 +300,16 @@ Advanced system administrators may consider setting up their own email server. M
     [:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="Source Code" }
     [:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=Contribute }
 
+!!! recommendation
+
+    ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ align=right }
+
+    **Mail-in-a-Box** is an automated setup script for deploying a mail server on Ubuntu. Its goal is to make it easier for people to set up their own mail server.
+
+    [:octicons-home-16: Homepage](https://mailinabox.email){ .md-button .md-button--primary }
+    [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=Documentation}
+    [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Source Code" }
+
 For a more manual approach we've picked out these two articles.
 
 - [Setting up a mail server with OpenSMTPD, Dovecot and Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019)
@@ -424,4 +424,3 @@ Must not have any marketing which is irresponsible:
 While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend.
 
 --8<-- "includes/abbreviations.en.md"
-

docs/encryption.en.md

@@ -8,33 +8,7 @@ Encryption of data is the only way to control who can access it. If you are curr
 
 The options listed here are multi-platform and great for creating encrypted backups of your data.
 
-### VeraCrypt
-
-!!! recommendation
-
-    ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ align=right }
-    ![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right }
-
-    **VeraCrypt** is a source-available freeware utility used for on-the-fly encryption. It can create a virtual encrypted disk within a file, encrypt a partition, or encrypt the entire storage device with pre-boot authentication.
-
-    [:octicons-home-16: Homepage](https://veracrypt.fr){ .md-button .md-button--primary }
-    [:octicons-info-16:](https://veracrypt.fr/en/Documentation.html){ .card-link title=Documentation}
-    [:octicons-code-16:](https://veracrypt.fr/code/){ .card-link title="Source Code" }
-    [:octicons-heart-16:](https://veracrypt.fr/en/Donation.html){ .card-link title=Contribute }
-
-    ??? downloads
-
-        [:fontawesome-brands-windows:](https://www.veracrypt.fr/en/Downloads.html){ .card-link title=Windows }
-        [:fontawesome-brands-apple:](https://www.veracrypt.fr/en/Downloads.html){ .card-link title=macOS }
-        [:fontawesome-brands-linux:](https://www.veracrypt.fr/en/Downloads.html){ .card-link title=Linux }
-
-VeraCrypt is a fork of the discontinued TrueCrypt project. According to its developers, security improvements have been implemented and issues raised by the initial TrueCrypt code audit have been addressed.
-
-When encrypting with VeraCrypt, you have the option to select from different [hash functions](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). We suggest you **only** select [SHA-512](https://en.wikipedia.org/wiki/SHA-512) and stick to the [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) block cipher.
-
-Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits) and VeraCrypt has also been [audited seperately](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit).
-
-### Cryptomator
+### Cryptomator (Cloud)
 
 !!! recommendation
 
@@ -50,13 +24,13 @@ Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/Tru
 
     ??? downloads
 
-        [:fontawesome-brands-windows:](https://cryptomator.org/downloads){ .card-link title=Windows }
-        [:fontawesome-brands-apple:](https://cryptomator.org/downloads){ .card-link title=macOS }
-        [:fontawesome-brands-linux:](https://cryptomator.org/downloads){ .card-link title=Linux }
-        [:pg-flathub:](https://flathub.org/apps/details/org.cryptomator.Cryptomator){ .card-link title=Flatpak }
-        [:fontawesome-brands-google-play:](https://play.google.com/store/apps/details?id=org.cryptomator){ .card-link title="Google Play" }
-        [:fontawesome-brands-android:](https://cryptomator.org/android){ .card-link title=Android }
-        [:fontawesome-brands-app-store-ios:](https://apps.apple.com/us/app/cryptomator-2/id1560822163){ .card-link title="App Store" }
+        - [:fontawesome-brands-windows: Windows](https://cryptomator.org/downloads)
+        - [:fontawesome-brands-apple: macOS](https://cryptomator.org/downloads)
+        - [:fontawesome-brands-linux: Linux](https://cryptomator.org/downloads)
+        - [:pg-flathub: Flatpak](https://flathub.org/apps/details/org.cryptomator.Cryptomator)
+        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator)
+        - [:fontawesome-brands-android: Android](https://cryptomator.org/android)
+        - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163)
 
 Cryptomator utilizes AES-256 encryption to encrypt both files and filenames. Cryptomator cannot encrypt some metadata such as access, modification, and creation timestamps, nor the number and size of files and folders.
 
@@ -64,7 +38,7 @@ Some Cryptomator cryptographic libraries have been [audited](https://community.c
 
 Cryptomator's documentation details its intended [security target](https://docs.cryptomator.org/en/latest/security/security-target/), [security architecture](https://docs.cryptomator.org/en/latest/security/architecture/), and [best practices](https://docs.cryptomator.org/en/latest/security/best-practices/) for use in further detail.
 
-### Picocrypt
+### Picocrypt (File)
 
 !!! recommendation
 
@@ -78,9 +52,35 @@ Cryptomator's documentation details its intended [security target](https://docs.
 
     ??? downloads
 
-        [:fontawesome-brands-windows:](https://github.com/HACKERALERT/Picocrypt/releases){ .card-link title=Windows }
-        [:fontawesome-brands-apple:](https://github.com/HACKERALERT/Picocrypt/releases){ .card-link title=macOS }
-        [:fontawesome-brands-linux:](https://github.com/HACKERALERT/Picocrypt/releases){ .card-link title=Linux }
+        - [:fontawesome-brands-windows: Windows](https://github.com/HACKERALERT/Picocrypt/releases)
+        - [:fontawesome-brands-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases)
+        - [:fontawesome-brands-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases)
+
+### VeraCrypt (Disk)
+
+!!! recommendation
+
+    ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ align=right }
+    ![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right }
+
+    **VeraCrypt** is a source-available freeware utility used for on-the-fly encryption. It can create a virtual encrypted disk within a file, encrypt a partition, or encrypt the entire storage device with pre-boot authentication.
+
+    [:octicons-home-16: Homepage](https://veracrypt.fr){ .md-button .md-button--primary }
+    [:octicons-info-16:](https://veracrypt.fr/en/Documentation.html){ .card-link title=Documentation}
+    [:octicons-code-16:](https://veracrypt.fr/code/){ .card-link title="Source Code" }
+    [:octicons-heart-16:](https://veracrypt.fr/en/Donation.html){ .card-link title=Contribute }
+
+    ??? downloads
+
+        - [:fontawesome-brands-windows: Windows](https://www.veracrypt.fr/en/Downloads.html)
+        - [:fontawesome-brands-apple: macOS](https://www.veracrypt.fr/en/Downloads.html)
+        - [:fontawesome-brands-linux: Linux](https://www.veracrypt.fr/en/Downloads.html)
+
+VeraCrypt is a fork of the discontinued TrueCrypt project. According to its developers, security improvements have been implemented and issues raised by the initial TrueCrypt code audit have been addressed.
+
+When encrypting with VeraCrypt, you have the option to select from different [hash functions](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). We suggest you **only** select [SHA-512](https://en.wikipedia.org/wiki/SHA-512) and stick to the [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) block cipher.
+
+Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits) and VeraCrypt has also been [audited seperately](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit).
 
 ## OS Full Disk Encryption
 
@@ -216,9 +216,9 @@ Tools with command-line interfaces are useful for integrating [shell scripts](ht
 
     ??? downloads
 
-        [:fontawesome-brands-windows:](https://www.kryptor.co.uk){ .card-link title=Windows }
-        [:fontawesome-brands-apple:](https://www.kryptor.co.uk){ .card-link title=macOS }
-        [:fontawesome-brands-linux:](https://www.kryptor.co.uk){ .card-link title=Linux }
+        - [:fontawesome-brands-windows: Windows](https://www.kryptor.co.uk)
+        - [:fontawesome-brands-apple: macOS](https://www.kryptor.co.uk)
+        - [:fontawesome-brands-linux: Linux](https://www.kryptor.co.uk)
 
 ### Tomb
 
@@ -262,10 +262,10 @@ When encrypting with PGP, you have the option to configure different options in
 
     ??? downloads
 
-        [:fontawesome-brands-windows:](https://gpg4win.org/download.html){ .card-link title=Windows }
-        [:fontawesome-brands-apple:](https://gpgtools.org){ .card-link title=macOS }
-        [:fontawesome-brands-linux:](https://gnupg.org/download/index.html#binary){ .card-link title=Linux }
-        [:fontawesome-brands-google-play:](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain){ .card-link title="Google Play" }
+        - [:fontawesome-brands-windows: Windows](https://gpg4win.org/download.html)
+        - [:fontawesome-brands-apple: macOS](https://gpgtools.org)
+        - [:fontawesome-brands-linux: Linux](https://gnupg.org/download/index.html#binary)
+        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain)
 
 ### GPG4win
 
@@ -283,7 +283,7 @@ When encrypting with PGP, you have the option to configure different options in
 
     ??? downloads
 
-        [:fontawesome-brands-windows:](https://gpg4win.org/download.html){ .card-link title=Windows }
+        - [:fontawesome-brands-windows: Windows](https://gpg4win.org/download.html)
 
 ### GPG Suite
 
@@ -306,7 +306,7 @@ When encrypting with PGP, you have the option to configure different options in
 
     ??? downloads
 
-        [:fontawesome-brands-apple:](https://gpgtools.org){ .card-link title=macOS }
+        - [:fontawesome-brands-apple: macOS](https://gpgtools.org)
 
 ### OpenKeychain
 
@@ -324,7 +324,7 @@ When encrypting with PGP, you have the option to configure different options in
 
     ??? downloads
 
-        [:fontawesome-brands-google-play:](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain){ .card-link title="Google Play" }
-        [:pg-f-droid:](https://f-droid.org/packages/org.sufficientlysecure.keychain/){ .card-link title=F-Droid }
+        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain)
+        - [:pg-f-droid: F-Droid](https://f-droid.org/packages/org.sufficientlysecure.keychain/)
 
 --8<-- "includes/abbreviations.en.md"

docs/file-sharing.en.md

@@ -6,6 +6,24 @@ Discover how to privately share your files between your devices, with your frien
 
 ## File Sharing
 
+### Magic Wormhole
+
+!!! recommendation
+
+    ![Magic Wormhole logo](assets/img/file-sharing-sync/magic_wormhole.png){ align=right }
+
+    **Magic Wormhole** is a package that provides a library and a command-line tool named wormhole, which makes it possible to get arbitrary-sized files and directories (or short pieces of text) from one computer to another. Their motto: "Get things from one computer to another, safely.
+
+    [:octicons-repo-16: Repository](https://github.com/magic-wormhole/magic-wormhole){ .md-button .md-button--primary }
+    [:octicons-info-16:](https://magic-wormhole.readthedocs.io/){ .card-link title=Documentation}
+    [:octicons-code-16:](https://github.com/magic-wormhole/magic-wormhole){ .card-link title="Source Code" }
+
+    ??? downloads
+
+        - [:fontawesome-brands-windows: Windows](https://magic-wormhole.readthedocs.io/en/latest/welcome.html#installation)
+        - [:fontawesome-brands-apple: macOS](https://magic-wormhole.readthedocs.io/en/latest/welcome.html#macos-os-x)
+        - [:fontawesome-brands-linux: Linux](https://magic-wormhole.readthedocs.io/en/latest/welcome.html#installation)
+
 ### OnionShare
 
 !!! recommendation
@@ -21,27 +39,9 @@ Discover how to privately share your files between your devices, with your frien
 
     ??? downloads
 
-        [:fontawesome-brands-windows:](https://onionshare.org/#download){ .card-link title=Windows }
-        [:fontawesome-brands-apple:](https://onionshare.org/#download){ .card-link title=macOS }
-        [:fontawesome-brands-linux:](https://onionshare.org/#download){ .card-link title=Linux }
-
-### Magic Wormhole
-
-!!! recommendation
-
-    ![Magic Wormhole logo](assets/img/file-sharing-sync/magic_wormhole.png){ align=right }
-
-    **Magic Wormhole** is a package that provides a library and a command-line tool named wormhole, which makes it possible to get arbitrary-sized files and directories (or short pieces of text) from one computer to another. Their motto: "Get things from one computer to another, safely.
-
-    [:octicons-repo-16: Repository](https://github.com/magic-wormhole/magic-wormhole){ .md-button .md-button--primary }
-    [:octicons-info-16:](https://magic-wormhole.readthedocs.io/){ .card-link title=Documentation}
-    [:octicons-code-16:](https://github.com/magic-wormhole/magic-wormhole){ .card-link title="Source Code" }
-
-    ??? downloads
-
-        [:fontawesome-brands-windows:](https://magic-wormhole.readthedocs.io/en/latest/welcome.html#installation){ .card-link title=Windows }
-        [:fontawesome-brands-apple:](https://magic-wormhole.readthedocs.io/en/latest/welcome.html#macos-os-x){ .card-link title=macOS }
-        [:fontawesome-brands-linux:](https://magic-wormhole.readthedocs.io/en/latest/welcome.html#installation){ .card-link title=Linux }
+        - [:fontawesome-brands-windows: Windows](https://onionshare.org/#download)
+        - [:fontawesome-brands-apple: macOS](https://onionshare.org/#download)
+        - [:fontawesome-brands-linux: Linux](https://onionshare.org/#download)
 
 ## FreedomBox
 
@@ -58,30 +58,6 @@ Discover how to privately share your files between your devices, with your frien
 
 ## File Sync
 
-### Syncthing
-
-!!! recommendation
-
-    ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ align=right }
-
-    **Syncthing** is an open-source peer-to-peer continuous file synchronization utility. It is used to synchronize files between two or more devices over the local network or the internet. Syncthing does not use a centralized server; it uses the [Block Exchange Protocol](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) to transfer data between devices. All data is encrypted using TLS.
-
-    [:octicons-home-16: Homepage](https://syncthing.net){ .md-button .md-button--primary }
-    [:octicons-info-16:](https://docs.syncthing.net){ .card-link title=Documentation}
-    [:octicons-code-16:](https://github.com/syncthing){ .card-link title="Source Code" }
-    [:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=Contribute }
-
-    ??? downloads
-
-        [:fontawesome-brands-windows:](https://syncthing.net/downloads/){ .card-link title=Windows }
-        [:fontawesome-brands-apple:](https://syncthing.net/downloads/){ .card-link title=macOS }
-        [:fontawesome-brands-linux:](https://syncthing.net/downloads/){ .card-link title=Linux }
-        [:fontawesome-brands-freebsd:](https://syncthing.net/downloads/){ .card-link title=FreeBSD }
-        [:pg-openbsd:](https://syncthing.net/downloads/){ .card-link title=OpenBSD }
-        [:pg-netbsd:](https://syncthing.net/downloads/){ .card-link title=NetBSD }
-        [:fontawesome-brands-google-play:](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid){ .card-link title="Google Play" }
-        [:pg-f-droid:](https://f-droid.org/packages/com.nutomic.syncthingandroid/){ .card-link title=F-Droid }
-
 ### git-annex
 
 !!! recommendation
@@ -98,6 +74,30 @@ Discover how to privately share your files between your devices, with your frien
 
     ??? downloads
 
-        [:fontawesome-brands-windows:](https://git-annex.branchable.com/install/Windows){ .card-link title=Windows }
-        [:fontawesome-brands-apple:](https://git-annex.branchable.com/install/OSX){ .card-link title=macOS }
-        [:fontawesome-brands-linux:](https://git-annex.branchable.com/install){ .card-link title=Linux }
+        - [:fontawesome-brands-windows: Windows](https://git-annex.branchable.com/install/Windows)
+        - [:fontawesome-brands-apple: macOS](https://git-annex.branchable.com/install/OSX)
+        - [:fontawesome-brands-linux: Linux](https://git-annex.branchable.com/install)
+
+### Syncthing
+
+!!! recommendation
+
+    ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ align=right }
+
+    **Syncthing** is an open-source peer-to-peer continuous file synchronization utility. It is used to synchronize files between two or more devices over the local network or the internet. Syncthing does not use a centralized server; it uses the [Block Exchange Protocol](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) to transfer data between devices. All data is encrypted using TLS.
+
+    [:octicons-home-16: Homepage](https://syncthing.net){ .md-button .md-button--primary }
+    [:octicons-info-16:](https://docs.syncthing.net){ .card-link title=Documentation}
+    [:octicons-code-16:](https://github.com/syncthing){ .card-link title="Source Code" }
+    [:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=Contribute }
+
+    ??? downloads
+
+        - [:fontawesome-brands-windows: Windows](https://syncthing.net/downloads/)
+        - [:fontawesome-brands-apple: macOS](https://syncthing.net/downloads/)
+        - [:fontawesome-brands-linux: Linux](https://syncthing.net/downloads/)
+        - [:fontawesome-brands-freebsd: FreeBSD](https://syncthing.net/downloads/)
+        - [:pg-openbsd: OpenBSD](https://syncthing.net/downloads/)
+        - [:pg-netbsd: NetBSD](https://syncthing.net/downloads/)
+        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid)
+        - [:pg-f-droid: F-Droid](https://f-droid.org/packages/com.nutomic.syncthingandroid/)

docs/linux-desktop/overview.en.md

@@ -75,9 +75,9 @@ We strongly recommend **against** using the Linux-libre kernel, since it [remove
 
 ### Drive Encryption
 
-Most Linux distributions have an option within its installer for enabling [LUKS](/encryption.md#linux-unified-key-setup) FDE. If this option isn’t set at installation time, you will have to backup your data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning), but before [file systems](https://en.wikipedia.org/wiki/File_system) are formatted. We also suggest securely erasing your storage device:
+Most Linux distributions have an option within its installer for enabling [LUKS](../encryption.md#linux-unified-key-setup) FDE. If this option isn’t set at installation time, you will have to backup your data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning), but before [file systems](https://en.wikipedia.org/wiki/File_system) are formatted. We also suggest securely erasing your storage device:
 
-- [Secure Data Erasure :hero-arrow-circle-right-fill:](../basics/erasing-data.md)
+- [Secure Data Erasure :hero-arrow-circle-right-fill:](../advanced/erasing-data.md)
 
 ### Swap
 

docs/metadata-removal-tools.en.md

@@ -6,6 +6,24 @@ When sharing files, be sure to remove associated metadata. Image files commonly
 
 ## Desktop
 
+### ExifCleaner
+
+!!! recommendation
+
+    ![ExifCleaner logo](assets/img/metadata-removal/exifcleaner.svg){ align=right }
+
+    **ExifCleaner** is a freeware, open source graphical app that uses [ExifTool](https://exiftool.org) to remove Exif metadata from images, videos, and PDF documents using a simple drag and drop interface. It supports multi-core batch processing and dark mode.
+
+    [:octicons-home-16: Homepage](https://exifcleaner.com){ .md-button .md-button--primary }
+    [:octicons-info-16:](https://github.com/szTheory/exifcleaner#readme){ .card-link title=Documentation}
+    [:octicons-code-16:](https://github.com/szTheory/exifcleaner){ .card-link title="Source Code" }
+
+    ??? downloads
+
+        - [:fontawesome-brands-windows: Windows](https://github.com/szTheory/exifcleaner/releases)
+        - [:fontawesome-brands-apple: macOS](https://github.com/szTheory/exifcleaner/releases)
+        - [:fontawesome-brands-linux: Linux](https://github.com/szTheory/exifcleaner/releases)
+
 ### MAT2
 
 !!! recommendation
@@ -22,32 +40,49 @@ When sharing files, be sure to remove associated metadata. Image files commonly
 
     ??? downloads
 
-        [:fontawesome-brands-windows:](https://pypi.org/project/mat2){ .card-link title=Windows }
-        [:fontawesome-brands-apple:](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew){ .card-link title=macOS }
-        [:fontawesome-brands-linux:](https://pypi.org/project/mat2){ .card-link title=Linux }
-        [:octicons-globe-16:](https://0xacab.org/jvoisin/mat2#web-interface){ .card-link title=Web }
-
-### ExifCleaner
-
-!!! recommendation
-
-    ![ExifCleaner logo](assets/img/metadata-removal/exifcleaner.svg){ align=right }
-
-    **ExifCleaner** is a freeware, open source graphical app that uses [ExifTool](https://exiftool.org) to remove Exif metadata from images, videos, and PDF documents using a simple drag and drop interface. It supports multi-core batch processing and dark mode.
-
-    [:octicons-home-16: Homepage](https://exifcleaner.com){ .md-button .md-button--primary }
-    [:octicons-info-16:](https://github.com/szTheory/exifcleaner#readme){ .card-link title=Documentation}
-    [:octicons-code-16:](https://github.com/szTheory/exifcleaner){ .card-link title="Source Code" }
-
-    ??? downloads
-
-        [:fontawesome-brands-windows:](https://github.com/szTheory/exifcleaner/releases){ .card-link title=Windows }
-        [:fontawesome-brands-apple:](https://github.com/szTheory/exifcleaner/releases){ .card-link title=macOS }
-        [:fontawesome-brands-linux:](https://github.com/szTheory/exifcleaner/releases){ .card-link title=Linux }
+        - [:fontawesome-brands-windows: Windows](https://pypi.org/project/mat2)
+        - [:fontawesome-brands-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew)
+        - [:fontawesome-brands-linux: Linux](https://pypi.org/project/mat2)
+        - [:octicons-globe-16: Web](https://0xacab.org/jvoisin/mat2#web-interface)
 
 ## Mobile
 
-### Scrambled Exif
+### Imagepipe (Android)
+
+!!! recommendation
+
+    ![Imagepipe logo](assets/img/metadata-removal/imagepipe.svg){ align=right }
+
+    **Imagepipe** is a a paint app for Android that can be used to redact photos and also delete Exif metadata. It has been translated into [many](https://codeberg.org/Starfish/Imagepipe#translations) languages.
+
+    [:octicons-repo-16: Repository](https://codeberg.org/Starfish/Imagepipe){ .md-button .md-button--primary }
+    [:octicons-info-16:](https://codeberg.org/Starfish/Imagepipe/src/branch/master/README.md){ .card-link title=Documentation}
+    [:octicons-code-16:](https://codeberg.org/Starfish/Imagepipe){ .card-link title="Source Code" }
+
+    ??? downloads
+
+        - [:pg-f-droid: F-Droid](https://f-droid.org/en/packages/de.kaffeemitkoffein.imagepipe/)
+
+Imagepipe is only available from F-Droid and not in Google Play. If you're looking for a paint app in Google Play we suggest [Pocket Paint](https://play.google.com/store/apps/details?id=org.catrobat.paintroid).
+
+### Metapho (iOS)
+
+!!! recommendation
+
+    ![Metapho logo](assets/img/metadata-removal/metapho.jpg){ align=right }
+
+    Metapho is a simple and clean viewer for photo metadata such as date, file name, size, camera model, shutter speed, and location.
+    
+    Metapho is closed source, however we recommend it due to the few choices there are for iOS.
+
+    [:octicons-home-16: Homepage](https://zininworks.com/metapho){ .md-button .md-button--primary }
+    [:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="Privacy Policy" }
+
+    ??? downloads
+
+        - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/metapho/id914457352)
+
+### Scrambled Exif (Android)
 
 !!! recommendation
 
@@ -63,43 +98,8 @@ When sharing files, be sure to remove associated metadata. Image files commonly
 
     ??? downloads
 
-        [:fontawesome-brands-google-play:](https://play.google.com/store/apps/details?id=com.jarsilio.android.scrambledeggsif){ .card-link title="Google Play" }
-        [:pg-f-droid:](https://f-droid.org/en/packages/com.jarsilio.android.scrambledeggsif){ .card-link title=F-Droid }
-
-### Imagepipe
-
-!!! recommendation
-
-    ![Imagepipe logo](assets/img/metadata-removal/imagepipe.svg){ align=right }
-
-    **Imagepipe** is a a paint app for Android that can be used to redact photos and also delete Exif metadata. It has been translated into [many](https://codeberg.org/Starfish/Imagepipe#translations) languages.
-
-    [:octicons-repo-16: Repository](https://codeberg.org/Starfish/Imagepipe){ .md-button .md-button--primary }
-    [:octicons-info-16:](https://codeberg.org/Starfish/Imagepipe/src/branch/master/README.md){ .card-link title=Documentation}
-    [:octicons-code-16:](https://codeberg.org/Starfish/Imagepipe){ .card-link title="Source Code" }
-
-    ??? downloads
-
-        [:pg-f-droid:](https://f-droid.org/en/packages/de.kaffeemitkoffein.imagepipe/){ .card-link title=F-Droid }
-
-Imagepipe is only available from F-Droid and not in Google Play. If you're looking for a paint app in Google Play we suggest [Pocket Paint](https://play.google.com/store/apps/details?id=org.catrobat.paintroid).
-
-### Metapho
-
-!!! recommendation
-
-    ![Metapho logo](assets/img/metadata-removal/metapho.jpg){ align=right }
-
-    Metapho is a simple and clean viewer for photo metadata such as date, file name, size, camera model, shutter speed, and location.
-    
-    Metapho is closed source, however we recommend it due to the few choices there are for iOS.
-
-    [:octicons-home-16: Homepage](https://zininworks.com/metapho){ .md-button .md-button--primary }
-    [:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="Privacy Policy" }
-
-    ??? downloads
-
-        [:fontawesome-brands-app-store-ios:](https://apps.apple.com/us/app/metapho/id914457352){ .card-link title="App Store" }
+        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.jarsilio.android.scrambledeggsif)
+        - [:pg-f-droid: F-Droid](https://f-droid.org/en/packages/com.jarsilio.android.scrambledeggsif)
 
 ## Command-line
 
@@ -120,10 +120,9 @@ Imagepipe is only available from F-Droid and not in Google Play. If you're looki
 
     ??? downloads
 
-        [:fontawesome-brands-windows:](https://exiftool.org){ .card-link title=Windows }
-        [:fontawesome-brands-apple:](https://exiftool.org){ .card-link title=macOS }
-        [:fontawesome-brands-linux:](https://exiftool.org){ .card-link title=Linux }
-
+        - [:fontawesome-brands-windows: Windows](https://exiftool.org)
+        - [:fontawesome-brands-apple: macOS](https://exiftool.org)
+        - [:fontawesome-brands-linux: Linux](https://exiftool.org)
 
 !!! example "Deleting data from a directory of files"
 

docs/multi-factor-authentication.en.md

@@ -4,29 +4,6 @@ icon: 'material/two-factor-authentication'
 ---
 ## Hardware Security Keys
 
-### YubiKey
-
-!!! recommendation
-
-    ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png)
-
-    The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
-
-    One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://www.yubico.com/quiz/) before purchasing in order to make sure you make the right choice.
-
-    [:octicons-home-16: Homepage](https://www.yubico.com){ .md-button .md-button--primary }
-    [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
-    [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentation}
-
-The [comparison table](https://www.yubico.com/store/compare/) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series.
-
-YubiKeys can be programmed using the [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) or [YubiKey Personalization Tools](https://www.yubico.com/support/download/yubikey-personalization-tools/). For managing TOTP codes, you can use the [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). All of Yubico's clients are open source.
-
-For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
-
-!!! warning
-    The firmware of YubiKeys are not open source and are not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
-
 ### Nitrokey / Librem Key
 
 !!! recommendation
@@ -61,6 +38,29 @@ For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 fo
 
     The Nitrokey app, while compatible with Librem Keys, requires `libnitrokey` version 3.6 or above to recognize them. Currently, the package is outdated on Windows, macOS, and most Linux distributions' repository, so you will likely have to compile the Nitrokey app yourself to get it working with the Librem Key. On Linux, you can obtain an up-to-date version from [Flathub](https://flathub.org/apps/details/com.nitrokey.nitrokey-app).
 
+### YubiKey
+
+!!! recommendation
+
+    ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png)
+
+    The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
+
+    One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://www.yubico.com/quiz/) before purchasing in order to make sure you make the right choice.
+
+    [:octicons-home-16: Homepage](https://www.yubico.com){ .md-button .md-button--primary }
+    [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+    [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentation}
+
+The [comparison table](https://www.yubico.com/store/compare/) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series.
+
+YubiKeys can be programmed using the [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) or [YubiKey Personalization Tools](https://www.yubico.com/support/download/yubikey-personalization-tools/). For managing TOTP codes, you can use the [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). All of Yubico's clients are open source.
+
+For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
+
+!!! warning
+    The firmware of YubiKeys are not open source and are not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
 ## Authenticator Apps
 
 Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret, or otherwise be able to predict what any future codes might be.
@@ -83,9 +83,9 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 
     ??? downloads
 
-        [:fontawesome-brands-google-play:](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis){ .card-link title="Google Play" }
-        [:pg-f-droid:](https://f-droid.org/en/packages/com.beemdevelopment.aegis){ .card-link title=F-Droid }
-        [:fontawesome-brands-github:](https://github.com/beemdevelopment/Aegis/releases){ .card-link title=GitHub }
+        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis)
+        - [:pg-f-droid: F-Droid](https://f-droid.org/en/packages/com.beemdevelopment.aegis)
+        - [:fontawesome-brands-github: GitHub](https://github.com/beemdevelopment/Aegis/releases)
 
 ### Raivo OTP
 
@@ -102,7 +102,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 
     ??? downloads
 
-        [:fontawesome-brands-app-store-ios:](https://apps.apple.com/us/app/raivo-otp/id1459042137){ .card-link title="App Store" }
-        [:fontawesome-brands-app-store:](https://apps.apple.com/us/app/raivo-otp/id1498497896){ .card-link title="Mac App Store" }
+        - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137)
+        - [:fontawesome-brands-app-store: Mac App Store](https://apps.apple.com/us/app/raivo-otp/id1498497896)
 
 --8<-- "includes/abbreviations.en.md"

docs/news-aggregators.en.md

@@ -7,42 +7,6 @@ A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to k
 
 ## Aggregator clients
 
-### Fluent Reader
-
-!!! recommendation
-
-    ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ align=right }
-
-    **Fluent Reader** is a secure cross-platform news aggregator that has useful privacy features such as deletion of cookies on exit, strict [content security policies (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) and proxy support, meaning you can use it over [Tor](self-contained-networks.md#tor).
-
-    [:octicons-home-16: Homepage](https://hyliu.me/fluent-reader){ .md-button .md-button--primary }
-    [:octicons-eye-16:](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .card-link title="Privacy Policy" }
-    [:octicons-info-16:](https://github.com/yang991178/fluent-reader/wiki/){ .card-link title=Documentation}
-    [:octicons-code-16:](https://github.com/yang991178/fluent-reader){ .card-link title="Source Code" }
-    [:octicons-heart-16:](https://github.com/sponsors/yang991178){ .card-link title=Contribute }
-
-    ??? downloads
-
-        [:fontawesome-brands-windows:](https://hyliu.me/fluent-reader){ .card-link title=Windows }
-        [:fontawesome-brands-app-store:](https://apps.apple.com/app/id1520907427){ .card-link title="Mac App Store" }
-
-### GNOME Feeds
-
-!!! recommendation
-
-    ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ align=right }
-
-    **GNOME Feeds** is an [RSS](https://en.wikipedia.org/wiki/RSS) and [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) news reader for [GNOME](https://www.gnome.org). It has a simple interface and is quite fast.
-
-    [:octicons-home-16: Homepage](https://gfeeds.gabmus.org){ .md-button .md-button--primary }
-    [:octicons-code-16:](https://gitlab.gnome.org/World/gfeeds){ .card-link title="Source Code" }
-    [:octicons-heart-16:](https://liberapay.com/gabmus/){ .card-link title=Contribute }
-
-    ??? downloads
-
-        [:fontawesome-brands-linux:](https://gfeeds.gabmus.org/#install){ .card-link title=Linux }
-        [:pg-flathub:](https://flathub.org/apps/details/org.gabmus.gfeeds){ .card-link title=Flatpak }
-
 ### Akregator
 
 !!! recommendation
@@ -59,7 +23,7 @@ A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to k
 
     ??? downloads
 
-        [:pg-flathub:](https://flathub.org/apps/details/org.kde.akregator){ .card-link title=Flatpak }
+        - [:pg-flathub: Flatpak](https://flathub.org/apps/details/org.kde.akregator)
 
 ### Feeder
 
@@ -75,8 +39,58 @@ A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to k
 
     ??? downloads
 
-        [:fontawesome-brands-google-play:](https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play){ .card-link title="Google Play" }
-        [:pg-f-droid:](https://f-droid.org/en/packages/com.nononsenseapps.feeder/){ .card-link title=F-Droid }
+        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play)
+        - [:pg-f-droid: F-Droid](https://f-droid.org/en/packages/com.nononsenseapps.feeder/)
+
+### Fluent Reader
+
+!!! recommendation
+
+    ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ align=right }
+
+    **Fluent Reader** is a secure cross-platform news aggregator that has useful privacy features such as deletion of cookies on exit, strict [content security policies (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) and proxy support, meaning you can use it over [Tor](self-contained-networks.md#tor).
+
+    [:octicons-home-16: Homepage](https://hyliu.me/fluent-reader){ .md-button .md-button--primary }
+    [:octicons-eye-16:](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .card-link title="Privacy Policy" }
+    [:octicons-info-16:](https://github.com/yang991178/fluent-reader/wiki/){ .card-link title=Documentation}
+    [:octicons-code-16:](https://github.com/yang991178/fluent-reader){ .card-link title="Source Code" }
+    [:octicons-heart-16:](https://github.com/sponsors/yang991178){ .card-link title=Contribute }
+
+    ??? downloads
+
+        - [:fontawesome-brands-windows: Windows](https://hyliu.me/fluent-reader)
+        - [:fontawesome-brands-app-store: Mac App Store](https://apps.apple.com/app/id1520907427)
+
+### GNOME Feeds
+
+!!! recommendation
+
+    ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ align=right }
+
+    **GNOME Feeds** is an [RSS](https://en.wikipedia.org/wiki/RSS) and [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) news reader for [GNOME](https://www.gnome.org). It has a simple interface and is quite fast.
+
+    [:octicons-home-16: Homepage](https://gfeeds.gabmus.org){ .md-button .md-button--primary }
+    [:octicons-code-16:](https://gitlab.gnome.org/World/gfeeds){ .card-link title="Source Code" }
+    [:octicons-heart-16:](https://liberapay.com/gabmus/){ .card-link title=Contribute }
+
+    ??? downloads
+
+        - [:fontawesome-brands-linux: Linux](https://gfeeds.gabmus.org/#install)
+        - [:pg-flathub: Flatpak](https://flathub.org/apps/details/org.gabmus.gfeeds)
+
+### Miniflux
+
+!!! recommendation
+
+    ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ align=right }
+    ![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right }
+
+    **Miniflux** is a web-based news aggregator that you can self-host. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed).
+
+    [:octicons-home-16: Homepage](https://miniflux.app){ .md-button .md-button--primary }
+    [:octicons-info-16:](https://miniflux.app/docs/index.html){ .card-link title=Documentation}
+    [:octicons-code-16:](https://github.com/miniflux/v2){ .card-link title="Source Code" }
+    [:octicons-heart-16:](https://miniflux.app/#donations){ .card-link title=Contribute }
 
 ### NetNewsWire
 
@@ -93,22 +107,8 @@ A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to k
 
     ??? downloads
 
-        [:fontawesome-brands-apple:](https://netnewswire.com){ .card-link title=macOS }
-        [:fontawesome-brands-app-store-ios:](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210){ .card-link title="App Store" }
-
-### Miniflux
-
-!!! recommendation
-
-    ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ align=right }
-    ![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right }
-
-    **Miniflux** is a web-based news aggregator that you can self-host. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed).
-
-    [:octicons-home-16: Homepage](https://miniflux.app){ .md-button .md-button--primary }
-    [:octicons-info-16:](https://miniflux.app/docs/index.html){ .card-link title=Documentation}
-    [:octicons-code-16:](https://github.com/miniflux/v2){ .card-link title="Source Code" }
-    [:octicons-heart-16:](https://miniflux.app/#donations){ .card-link title=Contribute }
+        - [:fontawesome-brands-apple: macOS](https://netnewswire.com)
+        - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210)
 
 ### Newsboat
 
@@ -122,24 +122,13 @@ A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to k
     [:octicons-info-16:](https://newsboat.org/releases/2.27/docs/newsboat.html){ .card-link title=Documentation}
     [:octicons-code-16:](https://github.com/newsboat/newsboat){ .card-link title="Source Code" }
 
-## Social media that supports RSS
+## Social Media RSS Support
 
 Some social media services also support RSS although it's not often advertised.
 
-### YouTube
-
-You can subscribe YouTube channels without logging in and associating usage information with your Google Account.
-
-!!! example
-
-    To subscribe to a YouTube channel with an RSS client, first look for your [channel code](https://support.google.com/youtube/answer/6180214), replace `channel_id` below:
-    ```text
-    https://www.youtube.com/feeds/videos.xml?channel_id={{ channel id }}
-    ```
-
 ### Reddit
 
-Reddit also supports subscription via RSS.
+Reddit allows you to subscribe to subreddits via RSS.
 
 !!! example
     Replace `subreddit_name` with the subreddit you wish to subscribe to.
@@ -159,3 +148,14 @@ Using any of the Nitter [instances](https://github.com/zedeus/nitter/wiki/Instan
        ```text
        https://{{ nitter_instance }}/{{ twitter_account }}/rss
        ```
+
+### YouTube
+
+You can subscribe YouTube channels without logging in and associating usage information with your Google Account.
+
+!!! example
+
+    To subscribe to a YouTube channel with an RSS client, first look for your [channel code](https://support.google.com/youtube/answer/6180214), replace `channel_id` below:
+    ```text
+    https://www.youtube.com/feeds/videos.xml?channel_id={{ channel id }}
+    ```

docs/notebooks.en.md

@@ -9,57 +9,6 @@ If you are currently using an application like Evernote, Google Keep, or Microso
 
 ## Cloud based
 
-### Joplin
-
-!!! recommendation
-
-    ![Joplin logo](assets/img/notebooks/joplin.svg){ align=right }
-
-    **Joplin** is a free, open-source, and fully-featured note-taking and to-do application which can handle a large number of markdown notes organized into notebooks and tags. It offers E2EE and can sync through Nextcloud, Dropbox, and more. It also offers easy import from Evernote and plain-text notes.
-
-    [:octicons-home-16: Homepage](https://joplinapp.org/){ .md-button .md-button--primary }
-    [:octicons-eye-16:](https://joplinapp.org/privacy/){ .card-link title="Privacy Policy" }
-    [:octicons-info-16:](https://joplinapp.org/help/){ .card-link title=Documentation}
-    [:octicons-code-16:](https://github.com/laurent22/joplin){ .card-link title="Source Code" }
-    [:octicons-heart-16:](https://joplinapp.org/donate/){ .card-link title=Contribute }
-
-    ??? downloads
-
-        [:fontawesome-brands-windows:](https://joplinapp.org/#desktop-applications){ .card-link title=Windows }
-        [:fontawesome-brands-apple:](https://joplinapp.org/#desktop-applications){ .card-link title=macOS }
-        [:fontawesome-brands-linux:](https://joplinapp.org/#desktop-applications){ .card-link title=Linux }
-        [:fontawesome-brands-firefox-browser:](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/){ .card-link title=Firefox }
-        [:fontawesome-brands-chrome:](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek){ .card-link title=Chrome }
-        [:fontawesome-brands-app-store-ios:](https://apps.apple.com/us/app/joplin/id1315599797){ .card-link title="App Store" }
-        [:fontawesome-brands-google-play:](https://play.google.com/store/apps/details?id=net.cozic.joplin){ .card-link title="Google Play" }
-        [:pg-f-droid:](https://f-droid.org/en/packages/net.cozic.joplin){ .card-link title=F-Droid }
-
-Joplin does not support password/pin protection for the [application itself or individual notes/notebooks](https://github.com/laurent22/joplin/issues/289). Data is still encrypted in transit and at the sync location using your master key.
-
-### Standard Notes
-
-!!! recommendation
-
-    ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ align=right }
-
-    Standard Notes is a simple and private notes app that makes your notes easy and available everywhere you are. It features E2EE on every platform, and a powerful desktop experience with themes and custom editors. It has also been [independently audited (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf).
-
-    [:octicons-home-16: Homepage](https://standardnotes.com){ .md-button .md-button--primary }
-    [:octicons-eye-16:](https://standardnotes.com/privacy){ .card-link title="Privacy Policy" }
-    [:octicons-info-16:](https://standardnotes.com/help){ .card-link title=Documentation}
-    [:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Source Code" }
-    [:octicons-heart-16:](https://standardnotes.com/donate){ .card-link title=Contribute }
-
-    ??? downloads
-
-        [:fontawesome-brands-windows:](https://standardnotes.com){ .card-link title=Windows }
-        [:fontawesome-brands-apple:](https://standardnotes.com){ .card-link title=macOS }
-        [:fontawesome-brands-linux:](https://standardnotes.com){ .card-link title=Linux }
-        [:fontawesome-brands-app-store-ios:](https://apps.apple.com/app/id1285392450){ .card-link title="App Store" }
-        [:fontawesome-brands-google-play:](https://play.google.com/store/apps/details?id=com.standardnotes){ .card-link title="Google Play" }
-        [:pg-f-droid:](https://f-droid.org/en/packages/com.standardnotes){ .card-link title=F-Droid }
-        [:octicons-globe-16:](https://app.standardnotes.com/){ .card-link title=Web }
-
 ### EteSync Notes
 
 !!! recommendation
@@ -78,10 +27,60 @@ Joplin does not support password/pin protection for the [application itself or i
 
     ??? downloads
 
-        [:fontawesome-brands-google-play:](https://play.google.com/store/apps/details?id=com.etesync.notes){ .card-link title="Google Play" }
-        [:pg-f-droid:](https://f-droid.org/packages/com.etesync.notes){ .card-link title=F-Droid }
-        [:fontawesome-brands-app-store-ios:](https://apps.apple.com/us/app/etesync-notes/id1533806351){ .card-link title="App Store" }
-        [:octicons-globe-16:](https://notes.etesync.com){ .card-link title=Web }
+        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.etesync.notes)
+        - [:pg-f-droid: F-Droid](https://f-droid.org/packages/com.etesync.notes)
+        - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/etesync-notes/id1533806351)
+        - [:octicons-globe-16: Web](https://notes.etesync.com)
+
+### Joplin
+
+!!! recommendation
+
+    ![Joplin logo](assets/img/notebooks/joplin.svg){ align=right }
+
+    **Joplin** is a free, open-source, and fully-featured note-taking and to-do application which can handle a large number of markdown notes organized into notebooks and tags. It offers E2EE and can sync through Nextcloud, Dropbox, and more. It also offers easy import from Evernote and plain-text notes.
+
+    [:octicons-home-16: Homepage](https://joplinapp.org/){ .md-button .md-button--primary }
+    [:octicons-eye-16:](https://joplinapp.org/privacy/){ .card-link title="Privacy Policy" }
+    [:octicons-info-16:](https://joplinapp.org/help/){ .card-link title=Documentation}
+    [:octicons-code-16:](https://github.com/laurent22/joplin){ .card-link title="Source Code" }
+    [:octicons-heart-16:](https://joplinapp.org/donate/){ .card-link title=Contribute }
+
+    ??? downloads
+
+        - [:fontawesome-brands-windows: Windows](https://joplinapp.org/#desktop-applications)
+        - [:fontawesome-brands-apple: macOS](https://joplinapp.org/#desktop-applications)
+        - [:fontawesome-brands-linux: Linux](https://joplinapp.org/#desktop-applications)
+        - [:fontawesome-brands-firefox-browser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/)
+        - [:fontawesome-brands-chrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek)
+        - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/joplin/id1315599797)
+        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin)
+
+Joplin does not support password/pin protection for the [application itself or individual notes/notebooks](https://github.com/laurent22/joplin/issues/289). Data is still encrypted in transit and at the sync location using your master key.
+
+### Standard Notes
+
+!!! recommendation
+
+    ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ align=right }
+
+    Standard Notes is a simple and private notes app that makes your notes easy and available everywhere you are. It features E2EE on every platform, and a powerful desktop experience with themes and custom editors. It has also been [independently audited (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf).
+
+    [:octicons-home-16: Homepage](https://standardnotes.com){ .md-button .md-button--primary }
+    [:octicons-eye-16:](https://standardnotes.com/privacy){ .card-link title="Privacy Policy" }
+    [:octicons-info-16:](https://standardnotes.com/help){ .card-link title=Documentation}
+    [:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Source Code" }
+    [:octicons-heart-16:](https://standardnotes.com/donate){ .card-link title=Contribute }
+
+    ??? downloads
+
+        - [:fontawesome-brands-windows: Windows](https://standardnotes.com)
+        - [:fontawesome-brands-apple: macOS](https://standardnotes.com)
+        - [:fontawesome-brands-linux: Linux](https://standardnotes.com)
+        - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/app/id1285392450)
+        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes)
+        - [:pg-f-droid: F-Droid](https://f-droid.org/en/packages/com.standardnotes)
+        - [:octicons-globe-16: Web](https://app.standardnotes.com/)
 
 ## Local notebooks
 

docs/passwords.en.md

@@ -10,10 +10,29 @@ Stay safe and secure online with an encrypted and open-source password manager.
 - Store an exported backup of your passwords in an [encrypted container](encryption.md) on another storage device. This can be useful if something happens to your device or the service you are using.
 - If possible, store TOTP tokens in a separate [TOTP app](basics/multi-factor-authentication.md#authenticator-apps) and not your password manager. TOTP codes are generated from a "[shared secret](https://en.wikipedia.org/wiki/Time-based_one-time_password#Security)". If the secret is obtained by an adversary they can generate TOTP values. Typically, mobile platforms have better app isolation and more secure methods for storing sensitive credentials.
 
-## Local Password Managers
+## Local Storage
 
 These password managers store the password database locally.
 
+### KeePassDX
+
+!!! recommendation
+
+    ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ align=right }
+
+    **KeePassDX** is a lightweight password manager for Android, allows editing encrypted data in a single file in KeePass format and can fill in the forms in a secure way. [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) allows unlocking cosmetic content and non-standard protocol features, but more importantly, it helps and encourages development.
+
+    [:octicons-home-16: Homepage](https://www.keepassdx.com){ .md-button .md-button--primary }
+    [:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=Documentation}
+    [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Source Code" }
+    [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=Contribute }
+
+    ??? downloads
+
+        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free)
+        - [:pg-f-droid: F-Droid](https://www.f-droid.org/packages/com.kunzisoft.keepass.libre)
+        - [:fontawesome-brands-github: GitHub](https://github.com/Kunzisoft/KeePassDX/releases)
+
 ### KeePassXC
 
 !!! recommendation
@@ -30,37 +49,18 @@ These password managers store the password database locally.
 
     ??? downloads
 
-        [:fontawesome-brands-windows:](https://keepassxc.org/download/#windows){ .card-link title=Windows }
-        [:fontawesome-brands-apple:](https://keepassxc.org/download/#mac){ .card-link title=macOS }
-        [:fontawesome-brands-linux:](https://keepassxc.org/download/#linux){ .card-link title=Linux }
-        [:pg-flathub:](https://flathub.org/apps/details/org.keepassxc.KeePassXC){ .card-link title=Flatpak }
-        [:fontawesome-brands-firefox:](https://addons.mozilla.org/firefox/addon/keepassxc-browser){ .card-link title=Firefox }
-        [:fontawesome-brands-chrome:](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk){ .card-link title=Chrome }
+        - [:fontawesome-brands-windows: Windows](https://keepassxc.org/download/#windows)
+        - [:fontawesome-brands-apple: macOS](https://keepassxc.org/download/#mac)
+        - [:fontawesome-brands-linux: Linux](https://keepassxc.org/download/#linux)
+        - [:pg-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC)
+        - [:fontawesome-brands-firefox: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser)
+        - [:fontawesome-brands-chrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk)
 
 KeePassXC stores its export data as [CSV](https://en.wikipedia.org/wiki/Comma-separated_values) files. This may mean data loss if you import this file into another password manager. We advise you check each record manually.
 
-### KeePassDX
+## Cloud Sync
 
-!!! recommendation
-
-    ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ align=right }
-
-    **KeePassDX** is a lightweight password manager for Android, allows editing encrypted data in a single file in KeePass format and can fill in the forms in a secure way. [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) allows unlocking cosmetic content and non-standard protocol features, but more importantly, it helps and encourages development.
-
-    [:octicons-home-16: Homepage](https://www.keepassdx.com){ .md-button .md-button--primary }
-    [:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=Documentation}
-    [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Source Code" }
-    [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=Contribute }
-
-    ??? downloads
-
-        [:fontawesome-brands-google-play:](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free){ .card-link title="Google Play" }
-        [:pg-f-droid:](https://www.f-droid.org/packages/com.kunzisoft.keepass.libre){ .card-link title=F-Droid }
-        [:fontawesome-brands-github:](https://github.com/Kunzisoft/KeePassDX/releases){ .card-link title=GitHub }
-
-## Cloud Syncing Password Managers
-
-These password managers sync up to a cloud server that may be self-hostable.
+These password managers sync your passwords to a cloud server for easy accessibility from all your devices. Our recommendations have open-source server-side code which is optionally self-hostable.
 
 ### Bitwarden
 
@@ -68,7 +68,7 @@ These password managers sync up to a cloud server that may be self-hostable.
 
     ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ align=right }
 
-    **Bitwarden** is a free and open-source password manager. It aims to solve password management problems for individuals, teams, and business organizations. Bitwarden is among the easiest and safest solutions to store all of your logins and passwords while conveniently keeping them synced between all of your devices. If you don't want to use the Bitwarden cloud, you can easily host your own Bitwarden server.
+    **Bitwarden** is a free and open-source password manager. It aims to solve password management problems for individuals, teams, and business organizations. Bitwarden is among the easiest and safest solutions to store all of your logins and passwords while conveniently keeping them synced between all of your devices.
 
     [:octicons-home-16: Homepage](https://bitwarden.com){ .md-button .md-button--primary }
     [:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="Privacy Policy" }
@@ -77,16 +77,28 @@ These password managers sync up to a cloud server that may be self-hostable.
 
     ??? downloads
 
-        [:fontawesome-brands-windows:](https://bitwarden.com/download){ .card-link title=Windows }
-        [:fontawesome-brands-app-store:](https://apps.apple.com/app/bitwarden/id1352778147){ .card-link title="Mac App Store" }
-        [:fontawesome-brands-linux:](https://bitwarden.com/download){ .card-link title=Linux }
-        [:pg-flathub:](https://flathub.org/apps/details/com.bitwarden.desktop){ .card-link title=Flatpak }
-        [:fontawesome-brands-app-store-ios:](https://apps.apple.com/app/bitwarden-password-manager/id1137397744){ .card-link title="App Store" }
-        [:fontawesome-brands-google-play:](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden){ .card-link title="Google Play" }
-        [:pg-f-droid:](https://mobileapp.bitwarden.com/fdroid){ .card-link title=F-Droid }
-        [:fontawesome-brands-firefox:](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager){ .card-link title=Firefox }
-        [:fontawesome-brands-chrome:](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb){ .card-link title=Chrome }
-        [:fontawesome-brands-edge:](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh){ .card-link title=Edge }
+        - [:fontawesome-brands-windows: Windows](https://bitwarden.com/download)
+        - [:fontawesome-brands-app-store: Mac App Store](https://apps.apple.com/app/bitwarden/id1352778147)
+        - [:fontawesome-brands-linux: Linux](https://bitwarden.com/download)
+        - [:pg-flathub: Flatpak](https://flathub.org/apps/details/com.bitwarden.desktop)
+        - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744)
+        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden)
+        - [:pg-f-droid: F-Droid](https://mobileapp.bitwarden.com/fdroid)
+        - [:fontawesome-brands-firefox: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager)
+        - [:fontawesome-brands-chrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb)
+        - [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh)
+
+Bitwarden's server-side code is [open source](https://github.com/bitwarden/server), so if you don't want to use the Bitwarden cloud, you can easily host your own Bitwarden sync server.
+
+![Vaultwarden logo](assets/img/password-management/vaultwarden.svg#only-light){ align=right }
+![Vaultwarden logo](assets/img/password-management/vaultwarden-dark.svg#only-dark){ align=right }
+
+**Vaultwarden** is an alternative implementation of the Bitwarden server API written in Rust and compatible with upstream Bitwarden clients, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal.
+
+[:octicons-repo-16: Vaultwarden Repository](https://github.com/dani-garcia/vaultwarden){ .md-button }
+[:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title=Documentation}
+[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="Source Code" }
+[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=Contribute }
 
 ### Psono
 
@@ -94,7 +106,7 @@ These password managers sync up to a cloud server that may be self-hostable.
 
     ![Psono logo](assets/img/password-management/psono.svg){ align=right }
 
-    **Psono** is a free and open source password manager from Germany, with a focus on password management for teams. It can be [self-hosted](#password-management-servers). Psono supports secure sharing of passwords, files, bookmarks, and emails. All secrets are protected by a master password.
+    **Psono** is a free and open source password manager from Germany, with a focus on password management for teams. Psono supports secure sharing of passwords, files, bookmarks, and emails. All secrets are protected by a master password.
 
     [:octicons-home-16: Homepage](https://psono.com){ .md-button .md-button--primary }
     [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="Privacy Policy" }
@@ -103,50 +115,13 @@ These password managers sync up to a cloud server that may be self-hostable.
 
     ??? downloads
 
-        [:fontawesome-brands-firefox:](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager){ .card-link title=Firefox }
-        [:fontawesome-brands-chrome:](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo){ .card-link title=Chrome }
-        [:fontawesome-brands-google-play:](https://play.google.com/store/apps/details?id=com.psono.psono){ .card-link title="Google Play" }
-        [:fontawesome-brands-app-store-ios:](https://apps.apple.com/us/app/psono-password-manager/id1545581224){ .card-link title="App Store" }
-        [:fontawesome-brands-docker:](https://hub.docker.com/r/psono/psono-client){ .card-link title="Docker Hub" }
+        - [:fontawesome-brands-firefox: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager)
+        - [:fontawesome-brands-chrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo)
+        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono)
+        - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224)
+        - [:fontawesome-brands-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client)
 
-## Password Management Servers
-
-These products are self-hostable synchronization for cloud based password managers.
-
-### Vaultwarden
-
-!!! recommendation
-
-    ![Vaultwarden logo](assets/img/password-management/vaultwarden.svg#only-light){ align=right }
-    ![Vaultwarden logo](assets/img/password-management/vaultwarden-dark.svg#only-dark){ align=right }
-
-    **Vaultwarden** is an alternative implementation of the Bitwarden server API written in Rust and compatible with upstream Bitwarden clients, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal.
-
-    [:octicons-repo-16: Repository](https://github.com/dani-garcia/vaultwarden){ .md-button .md-button--primary }
-    [:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title=Documentation}
-    [:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="Source Code" }
-    [:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=Contribute }
-
-    ??? downloads
-
-        [:fontawesome-brands-docker:](https://hub.docker.com/r/vaultwarden/server){ .card-link title="Docker Hub" }
-
-### Psono Server
-
-!!! recommendation
-
-    ![Psono Server logo](assets/img/password-management/psono.svg){ align=right }
-
-    Psono provides [extensive documentation](https://doc.psono.com/) for their product. The [web-client](https://doc.psono.com/admin/installation/install-webclient.html#installation-with-docker) for Psono can be self-hosted; alternatively, you can choose the the full [Community Edition](https://doc.psono.com/admin/installation/install-server-ce.html) or the [Enterprise Edition](https://doc.psono.com/admin/installation/install-server-ee.html) with additional features.
-
-    [:octicons-repo-16: Repository](https://gitlab.com/psono/psono-server){ .md-button .md-button--primary }
-    [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="Privacy Policy" }
-    [:octicons-info-16:](https://doc.psono.com/){ .card-link title=Documentation}
-    [:octicons-code-16:](https://gitlab.com/psono/psono-server){ .card-link title="Source Code" }
-
-    ??? downloads
-
-        [:fontawesome-brands-docker:](https://hub.docker.com/r/psono/psono-server){ .card-link title="Docker Hub" }
+Psono provides [extensive documentation](https://doc.psono.com/) for their product. The [web-client](https://doc.psono.com/admin/installation/install-webclient.html#installation-with-docker) for Psono can be self-hosted; alternatively, you can choose the the full [Community Edition](https://doc.psono.com/admin/installation/install-server-ce.html) or the [Enterprise Edition](https://doc.psono.com/admin/installation/install-server-ee.html) with additional features.
 
 ## Minimal Password Managers
 
@@ -167,9 +142,9 @@ These products are minimal password managers that can be used within scripting a
 
     ??? downloads
 
-        [:fontawesome-brands-windows:](https://www.gopass.pw/#install-windows){ .card-link title=Windows }
-        [:fontawesome-brands-apple:](https://www.gopass.pw/#install-macos){ .card-link title=macOS }
-        [:fontawesome-brands-linux:](https://www.gopass.pw/#install-linux){ .card-link title=Linux }
-        [:fontawesome-brands-freebsd:](https://www.gopass.pw/#install-bsd){ .card-link title=FreeBSD }
+        - [:fontawesome-brands-windows: Windows](https://www.gopass.pw/#install-windows)
+        - [:fontawesome-brands-apple: macOS](https://www.gopass.pw/#install-macos)
+        - [:fontawesome-brands-linux: Linux](https://www.gopass.pw/#install-linux)
+        - [:fontawesome-brands-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd)
 
 --8<-- "includes/abbreviations.en.md"

docs/productivity.en.md

@@ -22,15 +22,15 @@ Get working and collaborating without sharing your documents with a middleman or
 
     ??? downloads
 
-        [:fontawesome-brands-windows:](https://www.libreoffice.org/download/download/){ .card-link title=Windows }
-        [:fontawesome-brands-apple:](https://www.libreoffice.org/download/download/){ .card-link title=macOS }
-        [:fontawesome-brands-linux:](https://www.libreoffice.org/download/download/){ .card-link title=Linux }
-        [:pg-flathub:](https://www.libreoffice.org/download/download/){ .card-link title=Flatpak }
-        [:fontawesome-brands-freebsd:](https://www.freshports.org/editors/libreoffice/){ .card-link title=FreeBSD }
-        [:pg-openbsd:](https://openports.se/editors/libreoffice){ .card-link title=OpenBSD }
-        [:pg-netbsd:](https://pkgsrc.se/misc/libreoffice){ .card-link title=NetBSD }
-        [:fontawesome-brands-google-play:](https://www.libreoffice.org/download/android-and-ios/){ .card-link title="Google Play" }
-        [:fontawesome-brands-app-store-ios:](https://www.libreoffice.org/download/android-and-ios/){ .card-link title="App Store" }
+        - [:fontawesome-brands-windows: Windows](https://www.libreoffice.org/download/download/)
+        - [:fontawesome-brands-apple: macOS](https://www.libreoffice.org/download/download/)
+        - [:fontawesome-brands-linux: Linux](https://www.libreoffice.org/download/download/)
+        - [:pg-flathub: Flatpak](https://www.libreoffice.org/download/download/)
+        - [:fontawesome-brands-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/)
+        - [:pg-openbsd: OpenBSD](https://openports.se/editors/libreoffice)
+        - [:pg-netbsd: NetBSD](https://pkgsrc.se/misc/libreoffice)
+        - [:fontawesome-brands-google-play: Google Play](https://www.libreoffice.org/download/android-and-ios/)
+        - [:fontawesome-brands-app-store-ios: App Store](https://www.libreoffice.org/download/android-and-ios/)
 
 ### OnlyOffice
 
@@ -47,12 +47,12 @@ Get working and collaborating without sharing your documents with a middleman or
 
     ??? downloads
 
-        [:fontawesome-brands-windows:](https://www.onlyoffice.com/download-desktop.aspx){ .card-link title=Windows }
-        [:fontawesome-brands-apple:](https://www.onlyoffice.com/download-desktop.aspx){ .card-link title=macOS }
-        [:fontawesome-brands-linux:](https://www.onlyoffice.com/download-desktop.aspx){ .card-link title=Linux }
-        [:fontawesome-brands-freebsd:](https://www.freshports.org/www/onlyoffice-documentserver/){ .card-link title=FreeBSD }
-        [:fontawesome-brands-google-play:](https://play.google.com/store/apps/details?id=com.onlyoffice.documents){ .card-link title="Google Play" }
-        [:fontawesome-brands-app-store-ios:](https://apps.apple.com/app/id944896972){ .card-link title="App Store" }
+        - [:fontawesome-brands-windows: Windows](https://www.onlyoffice.com/download-desktop.aspx)
+        - [:fontawesome-brands-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx)
+        - [:fontawesome-brands-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx)
+        - [:fontawesome-brands-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/)
+        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents)
+        - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/app/id944896972)
 
 ## Planning
 
@@ -71,21 +71,9 @@ Get working and collaborating without sharing your documents with a middleman or
 
 ## Paste services
 
-### PrivateBin
-
-!!! recommendation
-
-    ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right }
-
-    **PrivateBin** is a minimalist, open-source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256-bit AES. It is the improved version of ZeroBin. There is a [list of instances](https://privatebin.info/directory/).
-
-    [:octicons-home-16: Homepage](https://privatebin.info){ .md-button .md-button--primary }
-    [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="Public Instances"}
-    [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Documentation}
-    [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Source Code" }
-
 !!! warning
-    PrivateBin uses JavaScript to handle encryption, so you must trust the provider to the extent that they do not inject any malicious JavaScript to get your private key. Consider self-hosting to mitigate this threat.
+
+    Encrypted Pastebin websites like the ones recommended here use JavaScript to handle encryption, so you must trust the provider to the extent that they do not inject any malicious JavaScript to get your private key. Consider self-hosting to mitigate this threat.
 
 ### CryptPad
 
@@ -101,8 +89,18 @@ Get working and collaborating without sharing your documents with a middleman or
     [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Source Code" }
     [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=Contribute }
 
-!!! warning
-    CryptPad uses JavaScript to handle encryption, so you must trust the provider to the extent that they do not inject any malicious JavaScript to get your private key. Consider self-hosting to mitigate this threat.
+### PrivateBin
+
+!!! recommendation
+
+    ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right }
+
+    **PrivateBin** is a minimalist, open-source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256-bit AES. It is the improved version of ZeroBin. There is a [list of instances](https://privatebin.info/directory/).
+
+    [:octicons-home-16: Homepage](https://privatebin.info){ .md-button .md-button--primary }
+    [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="Public Instances"}
+    [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Documentation}
+    [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Source Code" }
 
 ## Blogging
 
@@ -122,11 +120,11 @@ Get working and collaborating without sharing your documents with a middleman or
 
     ??? downloads
 
-        [:fontawesome-brands-windows:](https://github.com/writeas/writeas-cli){ .card-link title=Windows }
-        [:fontawesome-brands-apple:](https://github.com/writeas/writeas-cli){ .card-link title=macOS }
-        [:fontawesome-brands-linux:](https://github.com/writeas/writeas-cli){ .card-link title=Linux }
-        [:fontawesome-brands-google-play:](https://play.google.com/store/apps/details?id=com.abunchtell.writeas){ .card-link title="Google Play" }
-        [:fontawesome-brands-app-store-ios:](https://apps.apple.com/app/id1531530896){ .card-link title="App Store" }
+        - [:fontawesome-brands-windows: Windows](https://github.com/writeas/writeas-cli)
+        - [:fontawesome-brands-apple: macOS](https://github.com/writeas/writeas-cli)
+        - [:fontawesome-brands-linux: Linux](https://github.com/writeas/writeas-cli)
+        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.abunchtell.writeas)
+        - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/app/id1531530896)
 
 ## Programming
 
@@ -144,8 +142,8 @@ Get working and collaborating without sharing your documents with a middleman or
 
     ??? downloads
 
-        [:fontawesome-brands-windows:](https://vscodium.com/#install){ .card-link title=Windows }
-        [:fontawesome-brands-apple:](https://vscodium.com/#install){ .card-link title=macOS }
-        [:fontawesome-brands-linux:](https://vscodium.com/#install){ .card-link title=Linux }
+        - [:fontawesome-brands-windows: Windows](https://vscodium.com/#install)
+        - [:fontawesome-brands-apple: macOS](https://vscodium.com/#install)
+        - [:fontawesome-brands-linux: Linux](https://vscodium.com/#install)
 
 --8<-- "includes/abbreviations.en.md"

docs/real-time-communication.en.md

@@ -2,7 +2,72 @@
 title: "Real-Time Communication"
 icon: material/chat-processing
 ---
-## Encrypted Instant Messengers
+## Cross-Platform Messengers
+
+### Element
+
+!!! recommendation
+
+    ![Element logo](assets/img/messengers/element.svg){ align=right }
+
+    **Element** is the reference client for the [Matrix](https://matrix.org/docs/guides/introduction) protocol, an [open standard](https://matrix.org/docs/spec) for secure decentralized real-time communication.
+
+    Messages and files shared in private rooms (those which require an invite) are by default E2EE as are 1 to 1 voice and video calls.
+
+    [:octicons-home-16: Homepage](https://element.io/){ .md-button .md-button--primary }
+    [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Privacy Policy" }
+    [:octicons-info-16:](https://element.io/help){ .card-link title=Documentation}
+    [:octicons-code-16:](https://github.com/vector-im){ .card-link title="Source Code" }
+
+    ??? downloads
+
+        - [:fontawesome-brands-windows: Windows](https://element.io/get-started)
+        - [:fontawesome-brands-apple: macOS](https://element.io/get-started)
+        - [:fontawesome-brands-linux: Linux](https://element.io/get-started)
+        - [:octicons-globe-16: Web](https://app.element.io)
+        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=im.vector.app)
+        - [:pg-f-droid: F-Droid](https://f-droid.org/packages/im.vector.app/)
+        - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/app/vector/id1083446067)
+
+Profile pictures, reactions, and nicknames are not encrypted.
+
+Group voice and video calls are [not](https://github.com/vector-im/element-web/issues/12878) E2EE, and use Jitsi, but this is expected to change with [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Group calls have [no authentication](https://github.com/vector-im/element-web/issues/13074) currently, meaning that non room participants can also join the calls. We recommend that you do not use this feature for private meetings.
+
+When using [element-web](https://github.com/vector-im/element-web), you must trust the server hosting the Element client. If your [threat model](basics/threat-modeling.md) requires stronger protection, then use a desktop or mobile client instead.
+
+The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signal’s [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/).
+
+### Session
+
+!!! recommendation
+
+    ![Session logo](assets/img/messengers/session.svg){ align=right }
+
+    **Session** is a decentralized messenger with a focus on private, secure, and anonymous communications. Session offers support for direct messages, group chats, and voice calls.
+
+    Session utilizes the decentralized [Oxen Service Node Network](https://oxen.io/) to store and route messages. Every encrypted message is routed through three nodes in the Oxen Service Node Network, making it virtually impossible for the nodes to compile meaningful information on those using the network.
+
+    [:octicons-home-16: Homepage](https://getsession.org/){ .md-button .md-button--primary }
+    [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="Privacy Policy" }
+    [:octicons-info-16:](https://getsession.org/faq){ .card-link title=Documentation}
+    [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="Source Code" }
+
+    ??? downloads
+
+        - [:fontawesome-brands-windows: Windows](https://getsession.org/download)
+        - [:fontawesome-brands-apple: macOS](https://getsession.org/download)
+        - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/app/id1470168868)
+        - [:fontawesome-brands-linux: Linux](https://getsession.org/download)
+        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger)
+        - [:pg-f-droid: F-Droid](https://fdroid.getsession.org)
+
+Session allows for E2EE in one-on-one chats or closed groups which allow for up to 100 members. Open groups have no restriction on the number of members, but are open by design.
+
+Session does [not](https://getsession.org/blog/session-protocol-technical-information) support perfect forward secrecy, which is when an encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information, such that if the latest key is compromised it exposes a smaller portion of sensitive information.
+
+Oxen requested an independent audit for Session in March of 2020. The audit [concluded](https://getsession.org/session-code-audit) in April of 2021, “The overall security level of this application is good and makes it usable for privacy-concerned people.”
+
+Session has a [whitepaper](https://arxiv.org/pdf/2002.04609.pdf) describing the technicals of the app and protocol.
 
 ### Signal
 
@@ -22,11 +87,11 @@ icon: material/chat-processing
 
     ??? downloads
 
-        [:fontawesome-brands-windows:](https://signal.org/download){ .card-link title=Windows }
-        [:fontawesome-brands-apple:](https://signal.org/download){ .card-link title=macOS }
-        [:fontawesome-brands-linux:](https://signal.org/download){ .card-link title=Linux }
-        [:fontawesome-brands-google-play:](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms){ .card-link title="Google Play" }
-        [:fontawesome-brands-app-store-ios:](https://apps.apple.com/app/id874139669){ .card-link title="App Store" }
+        - [:fontawesome-brands-windows: Windows](https://signal.org/download)
+        - [:fontawesome-brands-apple: macOS](https://signal.org/download)
+        - [:fontawesome-brands-linux: Linux](https://signal.org/download)
+        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms)
+        - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/app/id874139669)
 
 Signal has minimal metadata when [Sealed Sender](https://signal.org/blog/sealed-sender/) is enabled. The sender address is encrypted along with the message body, and only the recipient address is visible to the server.
 
@@ -36,40 +101,9 @@ Signal requires your phone number as a personal identifier.
 
 The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf) in 2016. The specification for the Signal protocol can be found in their [documentation](https://signal.org/docs/).
 
-### Element
+## Other Messengers
 
-!!! recommendation
-
-    ![Element logo](assets/img/messengers/element.svg){ align=right }
-
-    **Element** is the reference client for the [Matrix](https://matrix.org/docs/guides/introduction) protocol, an [open standard](https://matrix.org/docs/spec) for secure decentralized real-time communication.
-
-    Messages and files shared in private rooms (those which require an invite) are by default E2EE as are 1 to 1 voice and video calls.
-
-    [:octicons-home-16: Homepage](https://element.io/){ .md-button .md-button--primary }
-    [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Privacy Policy" }
-    [:octicons-info-16:](https://element.io/help){ .card-link title=Documentation}
-    [:octicons-code-16:](https://github.com/vector-im){ .card-link title="Source Code" }
-
-    ??? downloads
-
-        [:fontawesome-brands-windows:](https://element.io/get-started){ .card-link title=Windows }
-        [:fontawesome-brands-apple:](https://element.io/get-started){ .card-link title=macOS }
-        [:fontawesome-brands-linux:](https://element.io/get-started){ .card-link title=Linux }
-        [:octicons-globe-16:](https://app.element.io){ .card-link title=Web }
-        [:fontawesome-brands-google-play:](https://play.google.com/store/apps/details?id=im.vector.app){ .card-link title="Google Play" }
-        [:pg-f-droid:](https://f-droid.org/packages/im.vector.app/){ .card-link title= F-Droid}
-        [:fontawesome-brands-app-store-ios:](https://apps.apple.com/app/vector/id1083446067){ .card-link title="App Store" }
-
-Profile pictures, reactions, and nicknames are not encrypted.
-
-Group voice and video calls are [not](https://github.com/vector-im/element-web/issues/12878) E2EE, and use Jitsi, but this is expected to change with [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Group calls have [no authentication](https://github.com/vector-im/element-web/issues/13074) currently, meaning that non room participants can also join the calls. We recommend that you do not use this feature for private meetings.
-
-When using [element-web](https://github.com/vector-im/element-web), you must trust the server hosting the Element client. If your [threat model](basics/threat-modeling.md) requires stronger protection, then use a desktop or mobile client instead.
-
-The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signal’s [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/).
-
-### Briar
+### Briar (Android)
 
 !!! recommendation
 
@@ -85,9 +119,9 @@ The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matr
 
     ??? downloads
 
-        [:pg-flathub:](https://flathub.org/apps/details/org.briarproject.Briar){ .card-link title=Flatpak }
-        [:fontawesome-brands-google-play:](https://play.google.com/store/apps/details?id=org.briarproject.briar.android){ .card-link title="Google Play" }
-        [:pg-f-droid:](https://f-droid.org/packages/org.briarproject.briar.android){ .card-link title=F-Droid }
+        - [:pg-flathub: Flatpak](https://flathub.org/apps/details/org.briarproject.Briar)
+        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android)
+        - [:pg-f-droid: F-Droid](https://f-droid.org/packages/org.briarproject.briar.android)
 
 To add a contact on Briar, you must both add each other first. You can either exchange `briar://` links or scan a contact’s QR code if they are nearby.
 
@@ -97,38 +131,6 @@ Briar has a fully [published specification](https://code.briarproject.org/briar/
 
 Briar supports perfect forward secrecy by using the Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) and [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol.
 
-### Session
-
-!!! recommendation
-
-    ![Session logo](assets/img/messengers/session.svg){ align=right }
-
-    **Session** is a decentralized messenger with a focus on private, secure, and anonymous communications. Session offers support for direct messages, group chats, and voice calls.
-
-    Session utilizes the decentralized [Oxen Service Node Network](https://oxen.io/) to store and route messages. Every encrypted message is routed through three nodes in the Oxen Service Node Network, making it virtually impossible for the nodes to compile meaningful information on those using the network.
-
-    [:octicons-home-16: Homepage](https://getsession.org/){ .md-button .md-button--primary }
-    [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="Privacy Policy" }
-    [:octicons-info-16:](https://getsession.org/faq){ .card-link title=Documentation}
-    [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="Source Code" }
-
-    ??? downloads
-
-        [:fontawesome-brands-windows:](https://getsession.org/download){ .card-link title=Windows }
-        [:fontawesome-brands-apple:](https://getsession.org/download){ .card-link title=macOS }
-        [:fontawesome-brands-app-store-ios:](https://apps.apple.com/app/id1470168868){ .card-link title="App Store" }
-        [:fontawesome-brands-linux:](https://getsession.org/download){ .card-link title=Linux }
-        [:fontawesome-brands-google-play:](https://play.google.com/store/apps/details?id=network.loki.messenger){ .card-link title="Google Play" }
-        [:pg-f-droid:](https://fdroid.getsession.org){ .card-link title=F-Droid }
-
-Session allows for E2EE in one-on-one chats or closed groups which allow for up to 100 members. Open groups have no restriction on the number of members, but are open by design.
-
-Session does [not](https://getsession.org/blog/session-protocol-technical-information) support perfect forward secrecy, which is when an encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information, such that if the latest key is compromised it exposes a smaller portion of sensitive information.
-
-Oxen requested an independent audit for Session in March of 2020. The audit [concluded](https://getsession.org/session-code-audit) in April of 2021, “The overall security level of this application is good and makes it usable for privacy-concerned people.”
-
-Session has a [whitepaper](https://arxiv.org/pdf/2002.04609.pdf) describing the technicals of the app and protocol.
-
 ## Types of Communication Networks
 
 There are several network architectures commonly used to relay messages between people. These networks can provide different different privacy guarantees, which is why it's worth considering your [threat model](https://en.wikipedia.org/wiki/Threat_model) when making a decision about which app to use.

docs/search-engines.en.md

@@ -8,6 +8,25 @@ The recommendations here are based on the merits of each service's privacy polic
 
 Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org/) if your threat model requires hiding your IP address from the search provider.
 
+## Brave Search
+
+!!! recommendation
+
+    ![Brave Search logo](assets/img/search-engines/brave-search.svg){ align=right }
+
+    **Brave Search** is developed by Brave and serves results primarily from its own, independent index. The index is optimized against Google Search and therefore may provide more contextually accurate results compared to other alternatives.
+
+    Brave Search includes unique features such as Discussions, which highlights conversation-focused results—such as forum posts.
+
+    We recommend you disable [Anonymous usage metrics](https://search.brave.com/help/usage-metrics), this option is enabled by default and can be disabled within settings.
+
+    [:octicons-home-16: Homepage](https://search.brave.com/){ .md-button .md-button--primary }
+    [:pg-tor:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title=Onion }
+    [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Privacy Policy" }
+    [:octicons-info-16:](https://search.brave.com/help){ .card-link title=Documentation}
+
+Brave Search is based in the :flag_us: United States. Their [privacy policy](https://search.brave.com/help/privacy-policy) states they collect aggregated usage metrics, which includes the operating system and browser in use, however no personally identifiable information is collected. IP addresses are temporarily processed, but are not retained.
+
 ## DuckDuckGo
 
 !!! recommendation
@@ -30,44 +49,6 @@ DuckDuckGo is based in the :flag_us: United States. Their [privacy policy](https
 
 DuckDuckGo offers two other [versions](https://help.duckduckgo.com/features/non-javascript/) of their search engine, both of which do not require JavaScript. These versions do lack features, however. These versions can also be used in conjunction with their [Tor onion address](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/) by appending [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) or [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) for the respective version.
 
-## Startpage
-
-!!! recommendation
-
-    ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ align=right }
-    ![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right }
-
-    **Startpage** is a private search engine known for serving Google search results. Startpage's flagship feature is [Anonymous View](https://www.startpage.com/en/anonymous-view/), which puts forth efforts to standardize user activity to make it more difficult to be uniquely identified. Unlike the name suggests, the feature should not be relied upon for anonymity. If you are looking for anonymity, use the Tor Browser instead. The feature can be useful for hiding some network and browser properties—see the [technical document](https://support.startpage.com/index.php?/Knowledgebase/Article/View/1185/0/the-anonymous-view-proxy---technical-details=undefined) for more details.
-
-    Startpage has been known to refuse access to those using a VPN service or Tor, so your mileage may vary.
-
-    [:octicons-home-16: Homepage](https://www.startpage.com){ .md-button .md-button--primary }
-    [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Privacy Policy" }
-    [:octicons-info-16:](https://support.startpage.com/index.php?/Knowledgebase/List){ .card-link title=Documentation}
-
-Startpage is based in the :flag_nl: Netherlands. According to their [privacy policy](https://www.startpage.com/en/privacy-policy/), they log details such as: operating system, type of browser, and language. They do not log your IP address, search queries, or other personally identifying information.
-
-Startpage's majority shareholder is System1 who is an adtech company. We don't believe that to be an issue as they have an distinctly separate [privacy policy](https://system1.com/terms/privacy-policy). The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) to clear up any concerns with System1's sizeable investment into the service. We were satisfied with the answers we received.
-
-## Brave Search
-
-!!! recommendation
-
-    ![Brave Search logo](assets/img/search-engines/brave-search.svg){ align=right }
-
-    **Brave Search** is developed by Brave and serves results primarily from its own, independent index. The index is optimized against Google Search and therefore may provide more contextually accurate results compared to other alternatives.
-
-    Brave Search includes unique features such as Discussions, which highlights conversation-focused results—such as forum posts.
-
-    We recommend you disable [Anonymous usage metrics](https://search.brave.com/help/usage-metrics), this option is enabled by default and can be disabled within settings.
-
-    [:octicons-home-16: Homepage](https://search.brave.com/){ .md-button .md-button--primary }
-    [:pg-tor:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title=Onion }
-    [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Privacy Policy" }
-    [:octicons-info-16:](https://search.brave.com/help){ .card-link title=Documentation}
-
-Brave Search is based in the :flag_us: United States. Their [privacy policy](https://search.brave.com/help/privacy-policy) states they collect aggregated usage metrics, which includes the operating system and browser in use, however no personally identifiable information is collected. IP addresses are temporarily processed, but are not retained.
-
 ## SearXNG
 
 !!! recommendation
@@ -86,4 +67,23 @@ When self-hosting, it is important that you have other people using your instanc
 
 When you are using a SearXNG instance, be sure to go read their privacy policy. Since SearXNG instances may be modified by their owners, they do not necessarily reflect their privacy policy. Some instances run as a Tor hidden service, which may grant some privacy as long as your search queries does not contain PII.
 
+## Startpage
+
+!!! recommendation
+
+    ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ align=right }
+    ![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right }
+
+    **Startpage** is a private search engine known for serving Google search results. Startpage's flagship feature is [Anonymous View](https://www.startpage.com/en/anonymous-view/), which puts forth efforts to standardize user activity to make it more difficult to be uniquely identified. Unlike the name suggests, the feature should not be relied upon for anonymity. If you are looking for anonymity, use the Tor Browser instead. The feature can be useful for hiding some network and browser properties—see the [technical document](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) for more details.
+
+    Startpage has been known to refuse access to those using a VPN service or Tor, so your mileage may vary.
+
+    [:octicons-home-16: Homepage](https://www.startpage.com){ .md-button .md-button--primary }
+    [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Privacy Policy" }
+    [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentation}
+
+Startpage is based in the :flag_nl: Netherlands. According to their [privacy policy](https://www.startpage.com/en/privacy-policy/), they log details such as: operating system, type of browser, and language. They do not log your IP address, search queries, or other personally identifying information.
+
+Startpage's majority shareholder is System1 who is an adtech company. We don't believe that to be an issue as they have an distinctly separate [privacy policy](https://system1.com/terms/privacy-policy). The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) to clear up any concerns with System1's sizeable investment into the service. We were satisfied with the answers we received.
+
 --8<-- "includes/abbreviations.en.md"

docs/self-contained-networks.en.md

@@ -4,31 +4,27 @@ icon: material/security-network
 ---
 These networks are designed to keep your traffic anonymous.
 
-## Tor
+## Freenet
 
 !!! recommendation
 
-    ![Tor logo](assets/img/self-contained-networks/tor.svg){ align=right }
+    ![Freenet logo](assets/img/self-contained-networks/freenet.svg){ align=right }
 
-    The **Tor** network is a group of volunteer-operated servers that allows people to improve their privacy and security on the Internet. You use the Tor network by connecting through a series of virtual tunnels rather than making a direct connection to the site you're trying to visit, thus allowing both organizations and individuals to share information over public networks without compromising their privacy. Tor is an effective censorship circumvention tool.
+    **Freenet** is a peer-to-peer platform for censorship-resistant communication. It uses a decentralized distributed data store to keep and deliver information, and has a suite of free software for publishing and communicating on the Web without fear of censorship. Both Freenet and some of its associated tools were originally designed by Ian Clarke, who defined Freenet's goal as providing freedom of speech on the Internet with strong anonymity protection.
 
-    [:octicons-home-16: Homepage](https://www.torproject.org){ .md-button .md-button--primary }
-    [:pg-tor:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title=Onion }
-    [:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation}
-    [:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="Source Code" }
-    [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute }
+    [:octicons-home-16: Homepage](https://freenetproject.org){ .md-button .md-button--primary }
+    [:octicons-info-16:](https://freenetproject.org/pages/documentation.html){ .card-link title=Documentation}
+    [:octicons-code-16:](https://github.com/freenet/){ .card-link title="Source Code" }
+    [:octicons-heart-16:](https://freenetproject.org/pages/donate.html){ .card-link title=Contribute }
 
     ??? downloads
 
-        [:fontawesome-brands-windows:](https://www.torproject.org/download/){ .card-link title=Windows }
-        [:fontawesome-brands-apple:](https://www.torproject.org/download/){ .card-link title=macOS }
-        [:fontawesome-brands-linux:](https://www.torproject.org/download/){ .card-link title=Linux }
-        [:fontawesome-brands-freebsd:](https://www.freshports.org/security/tor){ .card-link title=FreeBSD }
-        [:pg-openbsd:](https://openports.se/net/tor){ .card-link title=OpenBSD }
-        [:pg-netbsd:](https://pkgsrc.se/net/tor){ .card-link title=NetBSD }
-        [:fontawesome-brands-google-play:](https://play.google.com/store/apps/details?id=org.torproject.torbrowser){ .card-link title="Google Play" }
-        [:pg-f-droid:](https://support.torproject.org/tormobile/tormobile-7/){ .card-link title=F-Droid }
-        [:fontawesome-brands-android:](https://www.torproject.org/download/#android){ .card-link title=Android }
+        - [:fontawesome-brands-windows: Windows](https://freenetproject.org/pages/download.html#windows)
+        - [:fontawesome-brands-apple: macOS](https://freenetproject.org/pages/download.html#os-x)
+        - [:fontawesome-brands-linux: Linux](https://freenetproject.org/pages/download.html#gnulinux-posix)
+        - [:fontawesome-brands-freebsd: FreeBSD](https://freenetproject.org/pages/download.html#gnulinux-posix)
+        - [:pg-openbsd: OpenBSD](https://freenetproject.org/pages/download.html#gnulinux-posix)
+        - [:pg-netbsd: NetBSD](https://freenetproject.org/pages/download.html#gnulinux-posix)
 
 ## Invisible Internet Project
 
@@ -46,36 +42,40 @@ These networks are designed to keep your traffic anonymous.
 
     ??? downloads
 
-        [:fontawesome-brands-windows:](https://geti2p.net/en/download#windows){ .card-link title=Windows }
-        [:fontawesome-brands-apple:](https://geti2p.net/en/download#mac){ .card-link title=macOS }
-        [:fontawesome-brands-linux:](https://geti2p.net/en/download#unix){ .card-link title=Linux }
-        [:fontawesome-brands-freebsd:](https://www.freshports.org/security/i2p){ .card-link title=FreeBSD }
-        [:pg-openbsd:](https://openports.se/net/i2pd){ .card-link title=OpenBSD }
-        [:pg-netbsd:](https://pkgsrc.se/wip/i2pd){ .card-link title=NetBSD }
-        [:fontawesome-brands-android:](https://geti2p.net/en/download#android){ .card-link title=Android }
-        [:fontawesome-brands-google-play:](https://play.google.com/store/apps/details?id=net.i2p.android){ .card-link title="Google Play" }
-        [:pg-f-droid:](https://f-droid.org/app/net.i2p.android.router){ .card-link title=F-Droid }
+        - [:fontawesome-brands-windows: Windows](https://geti2p.net/en/download#windows)
+        - [:fontawesome-brands-apple: macOS](https://geti2p.net/en/download#mac)
+        - [:fontawesome-brands-linux: Linux](https://geti2p.net/en/download#unix)
+        - [:fontawesome-brands-freebsd: FreeBSD](https://www.freshports.org/security/i2p)
+        - [:pg-openbsd: OpenBSD](https://openports.se/net/i2pd)
+        - [:pg-netbsd: NetBSD](https://pkgsrc.se/wip/i2pd)
+        - [:fontawesome-brands-android: Android](https://geti2p.net/en/download#android)
+        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=net.i2p.android)
+        - [:pg-f-droid: F-Droid](https://f-droid.org/app/net.i2p.android.router)
 
-## The Freenet Project
+## Tor
 
 !!! recommendation
 
-    ![Freenet logo](assets/img/self-contained-networks/freenet.svg){ align=right }
+    ![Tor logo](assets/img/self-contained-networks/tor.svg){ align=right }
 
-    **Freenet** is a peer-to-peer platform for censorship-resistant communication. It uses a decentralized distributed data store to keep and deliver information, and has a suite of free software for publishing and communicating on the Web without fear of censorship. Both Freenet and some of its associated tools were originally designed by Ian Clarke, who defined Freenet's goal as providing freedom of speech on the Internet with strong anonymity protection.
+    The **Tor** network is a group of volunteer-operated servers that allows people to improve their privacy and security on the Internet. You use the Tor network by connecting through a series of virtual tunnels rather than making a direct connection to the site you're trying to visit, thus allowing both organizations and individuals to share information over public networks without compromising their privacy. Tor is an effective censorship circumvention tool.
 
-    [:octicons-home-16: Homepage](https://freenetproject.org){ .md-button .md-button--primary }
-    [:octicons-info-16:](https://freenetproject.org/pages/documentation.html){ .card-link title=Documentation}
-    [:octicons-code-16:](https://github.com/freenet/){ .card-link title="Source Code" }
-    [:octicons-heart-16:](https://freenetproject.org/pages/donate.html){ .card-link title=Contribute }
+    [:octicons-home-16: Homepage](https://www.torproject.org){ .md-button .md-button--primary }
+    [:pg-tor:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title=Onion }
+    [:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation}
+    [:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="Source Code" }
+    [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute }
 
     ??? downloads
 
-        [:fontawesome-brands-windows:](https://freenetproject.org/pages/download.html#windows){ .card-link title=Windows }
-        [:fontawesome-brands-apple:](https://freenetproject.org/pages/download.html#os-x){ .card-link title=macOS }
-        [:fontawesome-brands-linux:](https://freenetproject.org/pages/download.html#gnulinux-posix){ .card-link title=Linux }
-        [:fontawesome-brands-freebsd:](https://freenetproject.org/pages/download.html#gnulinux-posix){ .card-link title=FreeBSD }
-        [:pg-openbsd:](https://freenetproject.org/pages/download.html#gnulinux-posix){ .card-link title=OpenBSD }
-        [:pg-netbsd:](https://freenetproject.org/pages/download.html#gnulinux-posix){ .card-link title=NetBSD }
+        - [:fontawesome-brands-windows: Windows](https://www.torproject.org/download/)
+        - [:fontawesome-brands-apple: macOS](https://www.torproject.org/download/)
+        - [:fontawesome-brands-linux: Linux](https://www.torproject.org/download/)
+        - [:fontawesome-brands-freebsd: FreeBSD](https://www.freshports.org/security/tor)
+        - [:pg-openbsd: OpenBSD](https://openports.se/net/tor)
+        - [:pg-netbsd: NetBSD](https://pkgsrc.se/net/tor)
+        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser)
+        - [:pg-f-droid: F-Droid](https://support.torproject.org/tormobile/tormobile-7/)
+        - [:fontawesome-brands-android: Android](https://www.torproject.org/download/#android)
 
 --8<-- "includes/abbreviations.en.md"

docs/tools.en.md

@@ -107,9 +107,9 @@ For your convenience, everything we recommend is listed below with a link to the
 
 <div class="grid cards" markdown>
 
+- ![Cryptee logo](assets/img/cloud/cryptee.svg#only-light){ .twemoji }![Cryptee logo](assets/img/cloud/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](cloud.md#cryptee)
 - ![Nextcloud logo](assets/img/cloud/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](cloud.md#nextcloud)
 - ![Proton Drive logo](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](cloud.md#proton-drive)
-- ![Cryptee logo](assets/img/cloud/cryptee.svg#only-light){ .twemoji }![Cryptee logo](assets/img/cloud/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](cloud.md#cryptee)
 - ![Tahoe-LAFS logo](assets/img/cloud/tahoe-lafs.svg#only-light){ .twemoji }![Tahoe-LAFS logo](assets/img/cloud/tahoe-lafs-dark.svg#only-dark){ .twemoji } [Tahoe-LAFS (Advanced)](cloud.md#tahoe-lafs)
 
 </div>
@@ -151,10 +151,10 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#protonmail)
 - ![Mailbox.org logo](assets/img/email/mini/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg)
-- ![Tutanota logo](assets/img/email/mini/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota)
+- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#protonmail)
 - ![StartMail logo](assets/img/email/mini/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/mini/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail)
+- ![Tutanota logo](assets/img/email/mini/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota)
 
 </div>
 
@@ -164,8 +164,8 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![SimpleLogin logo](assets/img/email/mini/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin)
 - ![AnonAddy logo](assets/img/email/mini/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/mini/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy)
+- ![SimpleLogin logo](assets/img/email/mini/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin)
 
 </div>
 
@@ -175,8 +175,8 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#self-hosting-email)
 - ![mailcow logo](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#self-hosting-email)
+- ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#self-hosting-email)
 
 </div>
 
@@ -186,10 +186,10 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![DuckDuckGo logo](assets/img/search-engines/mini/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo)
-- ![Startpage logo](assets/img/search-engines/mini/startpage.svg#only-light){ .twemoji }![Startpage logo](assets/img/search-engines/mini/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage)
 - ![Brave Search logo](assets/img/search-engines/brave-search.svg){ .twemoji } [Brave Search](search-engines.md#brave-search)
+- ![DuckDuckGo logo](assets/img/search-engines/mini/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo)
 - ![SearXNG logo](assets/img/search-engines/mini/searxng-wordmark.svg){ .twemoji } [SearXNG](search-engines.md#searxng)
+- ![Startpage logo](assets/img/search-engines/mini/startpage.svg#only-light){ .twemoji }![Startpage logo](assets/img/search-engines/mini/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage)
 
 </div>
 
@@ -209,9 +209,9 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
+- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn)
 - ![Mullvad logo](assets/img/vpn/mini/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad)
 - ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#protonvpn)
-- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn)
 
 </div>
 
@@ -223,11 +223,11 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![Tutanota logo](assets/img/calendar-contacts/tutanota.svg){ .twemoji } [Tutanota (SaaS)](calendar-contacts.md#tutanota)
-- ![Proton Calendar logo](assets/img/calendar-contacts/proton-calendar.svg){ .twemoji } [Proton Calendar (SaaS)](calendar-contacts.md#proton-calendar)
-- ![EteSync logo](assets/img/calendar-contacts/etesync.svg){ .twemoji } [EteSync](calendar-contacts.md#etesync)
-- ![Tutanota logo](assets/img/calendar-contacts/nextcloud.svg){ .twemoji } [Nextcloud](calendar-contacts.md#nextcloud)
 - ![DecSync CC logo](assets/img/calendar-contacts/decsync.svg){ .twemoji } [DecSync CC](calendar-contacts.md#decsync-cc)
+- ![EteSync logo](assets/img/calendar-contacts/etesync.svg){ .twemoji } [EteSync](calendar-contacts.md#etesync)
+- ![Nextcloud logo](assets/img/calendar-contacts/nextcloud.svg){ .twemoji } [Nextcloud](calendar-contacts.md#nextcloud)
+- ![Proton Calendar logo](assets/img/calendar-contacts/proton-calendar.svg){ .twemoji } [Proton Calendar (SaaS)](calendar-contacts.md#proton-calendar)
+- ![Tutanota logo](assets/img/calendar-contacts/tutanota.svg){ .twemoji } [Tutanota (SaaS)](calendar-contacts.md#tutanota)
 
 </div>
 
@@ -237,9 +237,9 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
+- ![EteSync Notes logo](assets/img/notebooks/etesync-notes.png){ .twemoji } [EteSync Notes](notebooks.md#etesync-notes)
 - ![Joplin logo](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin)
 - ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes)
-- ![EteSync Notes logo](assets/img/notebooks/etesync-notes.png){ .twemoji } [EteSync Notes](notebooks.md#etesync-notes)
 - ![Org-mode logo](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode)
 
 </div>
@@ -252,12 +252,12 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 - ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ .twemoji } [Thunderbird](email-clients.md#thunderbird)
 - ![Apple Mail logo](assets/img/email-clients/applemail.png){ .twemoji } [Apple Mail (macOS)](email-clients.md#apple-mail)
+- ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ .twemoji } [Canary Mail (iOS)](email-clients.md#canary-mail)
+- ![FairEmail logo](assets/img/email-clients/fairemail.svg){ .twemoji } [FairEmail (Android)](email-clients.md#fairemail)
 - ![GNOME Evolution logo](assets/img/email-clients/evolution.svg){ .twemoji } [GNOME Evolution (Linux)](email-clients.md#gnome-evolution)
+- ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ .twemoji } [K-9 Mail (Android)](email-clients.md#k-9-mail)
 - ![Kontact logo](assets/img/email-clients/kontact.svg){ .twemoji } [Kontact (Linux)](email-clients.md#kontact)
 - ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ .twemoji } [Mailvelope (PGP in standard webmail)](email-clients.md#mailvelope)
-- ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ .twemoji } [K-9 Mail (Android)](email-clients.md#k-9-mail)
-- ![FairEmail logo](assets/img/email-clients/fairemail.svg){ .twemoji } [FairEmail (Android)](email-clients.md#fairemail)
-- ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ .twemoji } [Canary Mail (iOS)](email-clients.md#canary-mail)
 - ![NeoMutt logo](assets/img/email-clients/mutt.svg){ .twemoji } [NeoMutt (CLI)](email-clients.md#neomutt)
 
 </div>
@@ -274,9 +274,9 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](encryption.md#veracrypt)
 - ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](encryption.md#cryptomator)
 - ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](encryption.md#picocrypt)
+- ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](encryption.md#veracrypt)
 - ![Hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (Browser-based)](encryption.md#hatsh)
 - ![Kryptor logo](assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](encryption.md#kryptor)
 - ![Tomb logo](assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](encryption.md#tomb)
@@ -302,11 +302,11 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare)
 - ![Magic Wormhole logo](assets/img/file-sharing-sync/magic_wormhole.png){ .twemoji } [Magic Wormhole](file-sharing.md#magic-wormhole)
+- ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare)
 - ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox)
-- ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing)
 - ![git-annex logo](assets/img/file-sharing-sync/gitannex.svg){ .twemoji } [git-annex](file-sharing.md#git-annex)
+- ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing)
 
 </div>
 
@@ -316,11 +316,11 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![MAT2 logo](assets/img/metadata-removal/mat2.svg){ .twemoji } [MAT2](metadata-removal-tools.md#mat2)
 - ![ExifCleaner logo](assets/img/metadata-removal/exifcleaner.svg){ .twemoji } [ExifCleaner](metadata-removal-tools.md#exifcleaner)
-- ![Scrambled Exif logo](assets/img/metadata-removal/scrambled-exif.svg){ .twemoji } [Scrambled Exif (Android)](metadata-removal-tools.md#scrambled-exif)
+- ![MAT2 logo](assets/img/metadata-removal/mat2.svg){ .twemoji } [MAT2](metadata-removal-tools.md#mat2)
 - ![Imagepipe logo](assets/img/metadata-removal/imagepipe.svg){ .twemoji } [Imagepipe (Android)](metadata-removal-tools.md#imagepipe)
 - ![Metapho logo](assets/img/metadata-removal/metapho.jpg){ .twemoji } [Metapho (iOS)](metadata-removal-tools.md#metapho)
+- ![Scrambled Exif logo](assets/img/metadata-removal/scrambled-exif.svg){ .twemoji } [Scrambled Exif (Android)](metadata-removal-tools.md#scrambled-exif)
 - ![ExifTool logo](assets/img/metadata-removal/exiftool.png){ .twemoji } [ExifTool (CLI)](metadata-removal-tools.md#exiftool)
 
 </div>
@@ -331,8 +331,8 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey)
 - ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey-librem-key)
+- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey)
 - ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator)
 - ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp)
 
@@ -344,12 +344,12 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc)
 - ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](passwords.md#keepassdx)
+- ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc)
 - ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](passwords.md#bitwarden)
+- ![Vaultwarden logo](assets/img/password-management/vaultwarden.svg#only-light){ .twemoji }![Vaultwarden logo](assets/img/password-management/vaultwarden-dark.svg#only-dark){ .twemoji } [Vaultwarden (Bitwarden Server)](passwords.md#vaultwarden)
 - ![Psono logo](assets/img/password-management/psono.svg){ .twemoji } [Psono](passwords.md#psono)
 - ![gopass logo](assets/img/password-management/gopass.svg){ .twemoji } [gopass](passwords.md#gopass)
-- ![Vaultwarden logo](assets/img/password-management/vaultwarden.svg#only-light){ .twemoji }![Vaultwarden logo](assets/img/password-management/vaultwarden-dark.svg#only-dark){ .twemoji } [Vaultwarden (Bitwarden Server)](passwords.md#vaultwarden)
 
 </div>
 
@@ -362,8 +362,8 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 - ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice)
 - ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice)
 - ![Framadate logo](assets/img/productivity/framadate.svg){ .twemoji } [Framadate (Appointment Planning)](productivity.md#framadate)
-- ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin)
 - ![CryptPad logo](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad)
+- ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin)
 - ![Write.as logo](assets/img/productivity/writeas.svg#only-light){ .twemoji }![Write.as logo](assets/img/productivity/writeas-dark.svg#only-dark){ .twemoji } [Write.as (Blogging Platform)](productivity.md#writeas)
 - ![VSCodium logo](assets/img/productivity/vscodium.svg){ .twemoji } [VSCodium (Source-Code Editor)](productivity.md#vscodium)
 
@@ -375,10 +375,10 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal)
 - ![Element logo](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element)
-- ![Briar logo](assets/img/messengers/briar.svg){ .twemoji } [Briar (Android)](real-time-communication.md#briar)
 - ![Session logo](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session)
+- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal)
+- ![Briar logo](assets/img/messengers/briar.svg){ .twemoji } [Briar (Android)](real-time-communication.md#briar)
 
 </div>
 
@@ -388,12 +388,12 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](news-aggregators.md#fluent-reader)
-- ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](news-aggregators.md#gnome-feeds)
 - ![Akregator logo](assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](news-aggregators.md#akregator)
 - ![Feeder logo](assets/img/news-aggregators/feeder.png){ .twemoji} [Feeder](news-aggregators.md#feeder)
-- ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](news-aggregators.md#netnewswire)
+- ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](news-aggregators.md#fluent-reader)
+- ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](news-aggregators.md#gnome-feeds)
 - ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](news-aggregators.md#miniflux)
+- ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](news-aggregators.md#netnewswire)
 - ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](news-aggregators.md#newsboat)
 
 </div>
@@ -404,9 +404,9 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![Tor logo](./assets/img/self-contained-networks/tor.svg){ .twemoji } [Tor](self-contained-networks.md#tor)
-- ![I2P logo](./assets/img/self-contained-networks/i2p.svg#only-light){ .twemoji } ![I2P logo](./assets/img/self-contained-networks/i2p-dark.svg#only-dark){ .twemoji } [I2P](self-contained-networks.md#invisible-internet-project)
 - ![Freenet logo](./assets/img/self-contained-networks/freenet.svg){ .twemoji } [Freenet](self-contained-networks.md#the-freenet-project)
+- ![I2P logo](./assets/img/self-contained-networks/i2p.svg#only-light){ .twemoji } ![I2P logo](./assets/img/self-contained-networks/i2p-dark.svg#only-dark){ .twemoji } [I2P](self-contained-networks.md#invisible-internet-project)
+- ![Tor logo](./assets/img/self-contained-networks/tor.svg){ .twemoji } [Tor](self-contained-networks.md#tor)
 
 </div>
 
@@ -419,10 +419,9 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 - ![FreeTube logo](assets/img/video-streaming/freetube.svg){ .twemoji } [FreeTube (YouTube, Desktop)](video-streaming.md#freetube)
 - ![LBRY logo](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry)
 - ![NewPipe logo](assets/img//video-streaming/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](video-streaming.md#newpipe)
-- ![NewPipe x SponsorBlock logo](assets/img/video-streaming/newpipe.svg){ .twemoji } [NewPipe x Sponsorblock](video-streaming.md#sponsorblock)
 - ![Invidious logo](assets/img/video-streaming/invidious.svg#only-light){ .twemoji }![Invidious logo](assets/img/video-streaming/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](video-streaming.md#invidious)
-- ![Piped logo](assets/img/video-streaming/piped.svg){ .twemoji } [Piped (YouTube, Web)](video-streaming.md#piped)
 - ![Librarian logo](assets/img/video-streaming/librarian.svg#only-light){ .twemoji }![Librarian logo](assets/img/video-streaming/librarian-dark.svg#only-dark){ .twemoji } [Librarian (LBRY, Web)](video-streaming.md#librarian)
+- ![Piped logo](assets/img/video-streaming/piped.svg){ .twemoji } [Piped (YouTube, Web)](video-streaming.md#piped)
 
 </div>
 

docs/video-streaming.en.md

@@ -24,10 +24,10 @@ The primary threat when using a video streaming platform is that your streaming
 
     ??? downloads
 
-        [:fontawesome-brands-windows:](https://freetubeapp.io/#download){ .card-link title=Windows }
-        [:fontawesome-brands-apple:](https://freetubeapp.io/#download){ .card-link title=macOS }
-        [:fontawesome-brands-linux:](https://freetubeapp.io/#download){ .card-link title=Linux }
-        [:pg-flathub:](https://flathub.org/apps/details/io.freetubeapp.FreeTube){ .card-link title=Flatpak }
+        - [:fontawesome-brands-windows: Windows](https://freetubeapp.io/#download)
+        - [:fontawesome-brands-apple: macOS](https://freetubeapp.io/#download)
+        - [:fontawesome-brands-linux: Linux](https://freetubeapp.io/#download)
+        - [:pg-flathub: Flatpak](https://flathub.org/apps/details/io.freetubeapp.FreeTube)
 
 !!! Warning
 
@@ -50,9 +50,9 @@ The primary threat when using a video streaming platform is that your streaming
 
     ??? downloads
 
-        [:fontawesome-brands-windows:](https://lbry.com/windows){ .card-link title=Windows }
-        [:fontawesome-brands-apple:](https://lbry.com/osx){ .card-link title=macOS }
-        [:fontawesome-brands-linux:](https://lbry.com/linux){ .card-link title=Linux }
+        - [:fontawesome-brands-windows: Windows](https://lbry.com/windows)
+        - [:fontawesome-brands-apple: macOS](https://lbry.com/osx)
+        - [:fontawesome-brands-linux: Linux](https://lbry.com/linux)
 
 !!! note
 
@@ -84,8 +84,8 @@ You can disable *Save hosting data to help the LBRY network* option in :gear: **
 
     ??? downloads
 
-        [:pg-f-droid:](https://newpipe.net/FAQ/tutorials/install-add-fdroid-repo){ .card-link title=F-Droid}
-        [:fontawesome-brands-github:](https://github.com/TeamNewPipe/NewPipe/releases){ .card-link title=GitHub }
+        - [:pg-f-droid: F-Droid](https://newpipe.net/FAQ/tutorials/install-add-fdroid-repo)
+        - [:fontawesome-brands-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases)
 
 1. The default instance is [FramaTube](https://framatube.org/), however more can be added via **Settings** → **Content** → **PeerTube instances**
 
@@ -97,13 +97,11 @@ You can disable *Save hosting data to help the LBRY network* option in :gear: **
     
     When using NewPipe, your IP address will be visible to the video providers used. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address.
 
-#### SponsorBlock
-
-*NewPipe x SponsorBlock* is a fork of [NewPipe](https://newpipe.net) with [SponsorBlock](https://sponsor.ajay.app) integrated to help you skip sponsored video segments.
+**NewPipe x SponsorBlock** is a fork of [NewPipe](https://newpipe.net) with [SponsorBlock](https://sponsor.ajay.app) integrated to help you skip sponsored video segments.
 
 It also has integration with [Return YouTube Dislike](https://returnyoutubedislike.com), and some experimental settings such as the ability to use the built-in player for local playback, an option to force fullscreen on landscape mode, and an option to disable error reporting prompts.
 
-- [github.com/polymorphicshade/NewPipe :hero-arrow-circle-right-fill:](https://github.com/polymorphicshade/NewPipe)
+[:octicons-repo-16: "NewPipe x SponsorBlock" on GitHub](https://github.com/polymorphicshade/NewPipe){ .md-button }
 
 This fork is not endorsed by or affiliated with the upstream project. The NewPipe team has [rejected](https://github.com/TeamNewPipe/NewPipe/pull/3205) integration with SponsorBlock and thus this fork is created to provide this functionality.
 
@@ -138,30 +136,6 @@ When self-hosting, it is important that you have other people using your instanc
 
 When you are using an Invidious instance, make sure to read the privacy policy of that specific instance. Invidious instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII (Personally Identifiable Information).
 
-### Piped
-
-!!! recommendation
-
-    ![Piped logo](assets/img/video-streaming/piped.svg){ align=right }
-
-    **Piped** is a free and open source frontend for YouTube that is also self-hostable.
-
-    Piped requires JavaScript in order to function and there are a number of public instances.
-
-    [:octicons-repo-16: Repository](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary }
-    [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Public Instances"}
-    [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=Documentation}
-    [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Source Code" }
-    [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=Contribute }
-
-!!! tip
-
-    Piped is useful if you want to use [SponsorBlock](https://sponsor.ajay.app) without installing an extension or to access age-restricted content without an account. It does not provide privacy by itself and we don’t recommend logging into any accounts.
-
-When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Piped, as other peoples' usage will be linked to your hosting.
-
-When you are using a Piped instance, make sure to read the privacy policy of that specific instance. Piped instances can be modified by their owners and therefore may not reflect their associated privacy policy.
-
 ### Librarian
 
 !!! recommendation
@@ -190,4 +164,28 @@ When self-hosting, it is important that you have other people using your instanc
 
 When you are using a Librarian instance, make sure to read the privacy policy of that specific instance. Librarian instances can be modified by their owners and therefore may not reflect the default policy. Librarian instances feature a "privacy nutrition label" to provide an overview of their policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII (Personally Identifiable Information).
 
+### Piped
+
+!!! recommendation
+
+    ![Piped logo](assets/img/video-streaming/piped.svg){ align=right }
+
+    **Piped** is a free and open source frontend for YouTube that is also self-hostable.
+
+    Piped requires JavaScript in order to function and there are a number of public instances.
+
+    [:octicons-repo-16: Repository](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary }
+    [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Public Instances"}
+    [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=Documentation}
+    [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Source Code" }
+    [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=Contribute }
+
+!!! tip
+
+    Piped is useful if you want to use [SponsorBlock](https://sponsor.ajay.app) without installing an extension or to access age-restricted content without an account. It does not provide privacy by itself and we don’t recommend logging into any accounts.
+
+When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Piped, as other peoples' usage will be linked to your hosting.
+
+When you are using a Piped instance, make sure to read the privacy policy of that specific instance. Piped instances can be modified by their owners and therefore may not reflect their associated privacy policy.
+
 --8<-- "includes/abbreviations.en.md"

docs/vpn.en.md

@@ -13,7 +13,7 @@ Find a no-logging VPN operator who isn’t out to sell or read your web traffic.
 
     If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices.
 
-    [Download Tor](https://www.torproject.org/){ .md-button .md-button--primary } [Tor Myths & FAQ](https://medium.com/privacyguides/slicing-onions-part-1-myth-busting-tor-9ec188ae1904){ .md-button }
+    [Download Tor](https://www.torproject.org/){ .md-button .md-button--primary } [Tor Myths & FAQ](basics/tor-overview.md){ .md-button }
 
 ??? question "When are VPNs useful?"
 
@@ -27,6 +27,59 @@ Find a no-logging VPN operator who isn’t out to sell or read your web traffic.
 
     Our recommended providers use encryption, accept Monero, support WireGuard & OpenVPN, and have a no logging policy. Read our [full list of criteria](#our-criteria) for more information.
 
+### IVPN
+
+!!! recommendation
+
+    ![IVPN logo](assets/img/vpn/ivpn.svg){ align=right }
+
+    **IVPN** is another premium VPN provider, and they have been in operation since 2009. IVPN is based in Gibraltar.
+
+    **Standard USD $60/year** — **Pro USD $100/year**
+
+    [:octicons-home-16: Homepage](https://www.ivpn.net/){ .md-button .md-button--primary }
+    [:octicons-eye-16:](https://www.ivpn.net/privacy/){ .card-link title="Privacy Policy" }
+    [:octicons-info-16:](https://www.ivpn.net/knowledgebase/general/){ .card-link title=Documentation}
+    [:octicons-code-16:](https://github.com/ivpn){ .card-link title="Source Code" }
+
+??? check annotate "32 Countries"
+
+    IVPN has [servers in 32 countries](https://www.ivpn.net/server-locations) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (less hops) to the destination.
+
+    We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server).
+
+1. As of 2022/05/17
+
+??? check "Independently Audited"
+
+    IVPN has undergone a [no-logging audit from Cure53](https://cure53.de/audit-report_ivpn.pdf) which concluded in agreement with IVPN's no-logging claim. IVPN has also completed a [comprehensive pentest report Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) in January 2020. IVPN has also said they plan to have [annual reports](https://www.ivpn.net/blog/independent-security-audit-concluded) in the future.
+
+??? check "Open Source Clients"
+
+    As of Feburary 2020 [IVPN applications are now open source](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Source code can be obtained from their [GitHub organization](https://github.com/ivpn).
+
+??? check "Accepts Cash and Monero"
+
+    In addition to accepting credit/debit cards and PayPal, IVPN accepts Bitcoin, **Monero** and **cash/local currency** (on annual plans) as anonymous forms of payment.
+
+??? check "WireGuard Support"
+
+    IVPN supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that utilizes state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant.
+
+    IVPN [recommends](https://www.ivpn.net/wireguard/) the use of WireGuard with their service and, as such, the protocol is the default on all of IVPN's apps. IVPN also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/).
+
+??? check "Remote Port Forwarding"
+
+    Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is possible with a Pro plan. Port forwarding [can be activated](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) via the client area. Port forwarding is only available on IVPN when using WireGuard or OpenVPN protocols and is [disabled on US servers](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html).
+
+??? check "Mobile Clients"
+
+    In addition to providing standard OpenVPN configuration files, IVPN has mobile clients for [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683) and [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client) allowing for easy connections to their servers. The mobile client on Android is also available in [F-Droid](https://f-droid.org/en/packages/net.ivpn.client), which ensures that it is compiled with [reproducible builds](https://www.f-droid.org/en/2019/05/05/trust-privacy-and-free-software.html).
+
+??? info "Additional Functionality"
+
+    IVPN clients support two factor authentication (Mullvad and Proton VPN clients do not). IVPN also provides "[AntiTracker](https://www.ivpn.net/antitracker)" functionality, which blocks advertising networks and trackers from the network level.
+
 ### Mullvad
 
 !!! recommendation
@@ -125,7 +178,7 @@ Find a no-logging VPN operator who isn’t out to sell or read your web traffic.
 
 ??? check "Open Source Clients"
 
-    Proton VPN provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/Proton VPN).
+    Proton VPN provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/ProtonVPN).
 
 ??? check "Accepts Cash"
 
@@ -149,59 +202,6 @@ Find a no-logging VPN operator who isn’t out to sell or read your web traffic.
 
     Proton VPN have their own servers and datacenters in Switzerland, Iceland and Sweden. They offer adblocking and known malware domains blocking with their DNS service. Additionally, Proton VPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using [the official Tor Browser](https://www.torproject.org/) for this purpose.
 
-### IVPN
-
-!!! recommendation
-
-    ![IVPN logo](assets/img/vpn/ivpn.svg){ align=right }
-
-    **IVPN** is another premium VPN provider, and they have been in operation since 2009. IVPN is based in Gibraltar.
-
-    **Standard USD $60/year** — **Pro USD $100/year**
-
-    [:octicons-home-16: Homepage](https://www.ivpn.net/){ .md-button .md-button--primary }
-    [:octicons-eye-16:](https://www.ivpn.net/privacy/){ .card-link title="Privacy Policy" }
-    [:octicons-info-16:](https://www.ivpn.net/knowledgebase/general/){ .card-link title=Documentation}
-    [:octicons-code-16:](https://github.com/ivpn){ .card-link title="Source Code" }
-
-??? check annotate "32 Countries"
-
-    IVPN has [servers in 32 countries](https://www.ivpn.net/server-locations) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (less hops) to the destination.
-
-    We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server).
-
-1. As of 2022/05/17
-
-??? check "Independently Audited"
-
-    IVPN has undergone a [no-logging audit from Cure53](https://cure53.de/audit-report_ivpn.pdf) which concluded in agreement with IVPN's no-logging claim. IVPN has also completed a [comprehensive pentest report Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) in January 2020. IVPN has also said they plan to have [annual reports](https://www.ivpn.net/blog/independent-security-audit-concluded) in the future.
-
-??? check "Open Source Clients"
-
-    As of Feburary 2020 [IVPN applications are now open source](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Source code can be obtained from their [GitHub organization](https://github.com/ivpn).
-
-??? check "Accepts Cash and Monero"
-
-    In addition to accepting credit/debit cards and PayPal, IVPN accepts Bitcoin, **Monero** and **cash/local currency** (on annual plans) as anonymous forms of payment.
-
-??? check "WireGuard Support"
-
-    IVPN supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that utilizes state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant.
-
-    IVPN [recommends](https://www.ivpn.net/wireguard/) the use of WireGuard with their service and, as such, the protocol is the default on all of IVPN's apps. IVPN also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/).
-
-??? check "Remote Port Forwarding"
-
-    Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is possible with a Pro plan. Port forwarding [can be activated](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) via the client area. Port forwarding is only available on IVPN when using WireGuard or OpenVPN protocols and is [disabled on US servers](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html).
-
-??? check "Mobile Clients"
-
-    In addition to providing standard OpenVPN configuration files, IVPN has mobile clients for [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683) and [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client) allowing for easy connections to their servers. The mobile client on Android is also available in [F-Droid](https://f-droid.org/en/packages/net.ivpn.client), which ensures that it is compiled with [reproducible builds](https://www.f-droid.org/en/2019/05/05/trust-privacy-and-free-software.html).
-
-??? info "Additional Functionality"
-
-    IVPN clients support two factor authentication (Mullvad and Proton VPN clients do not). IVPN also provides "[AntiTracker](https://www.ivpn.net/antitracker)" functionality, which blocks advertising networks and trackers from the network level.
-
 ## Our Criteria
 
 !!! danger

mkdocs.yml

@@ -92,12 +92,19 @@ plugins:
   - git-revision-date-localized:
       exclude:
         - index.en.md
+  - rss:
+      match_path: "blog/.*"
+      pretty_print: true
+      date_from_meta:
+        as_creation: "created"
+        datetime_format: "%Y-%m-%d"
   - privacy:
       externals_exclude:
         - cdn.jsdelivr.net/npm/mathjax@3/*
         - api.privacyguides.net/*
+        - giscus.app/*
 extra_css:
-  - assets/stylesheets/extra.css
+  - assets/stylesheets/extra.css?v=2.10.0
 markdown_extensions:
   - admonition
   - pymdownx.details
@@ -147,10 +154,10 @@ nav:
       - 'basics/common-threats.md'
       - 'basics/account-deletion.md'
       - 'basics/multi-factor-authentication.md'
-      - 'basics/dns.md'
-      - 'basics/erasing-data.md'
-      - 'basics/email-security.md'
       - 'basics/vpn-overview.md'
+      - 'basics/tor-overview.md'
+      - 'basics/dns-overview.md'
+      - 'basics/email-security.md'
     - 'Android':
       - 'android/overview.md'
       - 'android/grapheneos-vs-calyxos.md'
@@ -159,7 +166,8 @@ nav:
       - 'linux-desktop/hardening.md'
       - 'linux-desktop/sandboxing.md'
     - 'Advanced':
-      - 'setup/integrating-metadata-removal.md'
+      - 'advanced/integrating-metadata-removal.md'
+      - 'advanced/erasing-data.md'
   - 'Recommendations':
     - 'tools.md'
     - 'Browsers':
@@ -198,4 +206,10 @@ nav:
     - 'about/privacy-policy.md'
   - 'Donate': '/about/donate/'
   - 'Discussions': 'https://github.com/orgs/privacyguides/discussions'
-  - 'Blog': 'https://blog.privacyguides.org/'
+  - 'Blog':
+    - '2022':
+      - '"Move Fast and Break Things"': 'blog/2022/04/04/move-fast-and-break-things.md'
+    - '2021':
+      - 'Firefox Privacy: 2021 Update': 'blog/2021/12/01/firefox-privacy-2021-update.md'
+      - 'Virtual Insanity': 'blog/2021/11/01/virtual-insanity.md'
+      - 'Welcome to Privacy Guides': 'blog/2021/09/14/welcome-to-privacy-guides.md'

theme/main.html

@@ -0,0 +1,5 @@
+{% extends "base.html" %}
+
+{% block extrahead %}
+    <link rel="preload" href="{{ 'assets/brand/WOFF/bagnard/Bagnard.woff' | url }}" as="font" type="font/woff" crossorigin>
+{% endblock %}

theme/overrides/blog.en.html

@@ -0,0 +1,88 @@
+{% extends "base.html" %}
+{% block extrahead %}
+  <link rel="preload" href="{{ 'assets/brand/WOFF/bagnard/Bagnard.woff' | url }}" as="font" type="font/woff" crossorigin>
+  <link rel="stylesheet" href="{{ 'assets/stylesheets/blog.css' | url }}">
+  <meta property="og:title" content='{{ page.meta.title }}' />
+  <meta property="og:type" content='article' />
+  <meta property="og:url" content='{{ page.canonical_url }}' />
+  <meta property="og:image" content='https://www.privacyguides.org/{{ page.meta.image }}' />
+  <meta property="og:site_name" content='Privacy Guides' />
+  <meta name="twitter:creator" content='@privacy_guides' />
+  <meta name="twitter:site" content='@privacy_guides' />
+{% endblock %}
+{% block tabs %}
+  {{ super() }}
+  <style>.md-content > .md-typeset h1{visibility:hidden;font-size:0;}</style>
+  <section class="mdx-container">
+    <div class="md-grid md-typeset">
+      <div class="mdx-hero">
+        <div class="mdx-hero__content">
+          <h1>{{ page.meta.title }}</h1>
+          <p>{{ page.meta.created }} | {{ page.meta.author }}</p>
+        </div>
+      </div>
+    </div>
+  </section>
+{% endblock %}
+{% block content %}
+  {% if page.meta.image %}
+    <img src="{{ page.meta.image | url }}"> 
+  {% endif %}
+  <a href="{{ '/feed_rss_created.xml' | url }}" title="Open RSS Feed" class="md-content__button md-icon">
+    {% include ".icons/material/rss.svg" %}
+  </a>
+  {% if "tags" in config.plugins %}
+    {% include "partials/tags.html" %}
+  {% endif %}
+  {% if not "\x3ch1" in page.content %}
+    <h1>{{ page.title | d(config.site_name, true)}}</h1>
+  {% endif %}
+  {{ page.content }}
+
+  <!-- Giscus -->
+  <h2 id="__comments">{{ lang.t("meta.comments") }}</h2>
+  <script src="https://giscus.app/client.js"
+        data-repo="privacyguides/privacyguides.org"
+        data-repo-id="MDEwOlJlcG9zaXRvcnkzMTg0MDE5MDY="
+        data-category="Announcements"
+        data-category-id="DIC_kwDOEvptcs4COX5p"
+        data-mapping="og:title"
+        data-reactions-enabled="1"
+        data-emit-metadata="0"
+        data-input-position="top"
+        data-theme="light"
+        data-lang="en"
+        crossorigin="anonymous"
+        async>
+  </script>
+
+  <!-- Reload on palette change -->
+  <script>
+    var palette = __md_get("__palette")
+    if (palette && typeof palette.color === "object")
+      if (palette.color.scheme === "slate") {
+        var giscus = document.querySelector("script[src*=giscus]")
+        giscus.setAttribute("data-theme", "transparent_dark") 
+
+
+      }
+
+    /* Register event handlers after documented loaded */
+    document.addEventListener("DOMContentLoaded", function() {
+      var ref = document.querySelector("[data-md-component=palette]")
+      ref.addEventListener("change", function() {
+        var palette = __md_get("__palette")
+        if (palette && typeof palette.color === "object") {
+          var theme = palette.color.scheme === "slate" ? "transparent_dark" : "light"
+
+          /* Instruct Giscus to change theme */
+          var frame = document.querySelector(".giscus-frame")
+          frame.contentWindow.postMessage(
+            { giscus: { setConfig: { theme } } },
+            "https://giscus.app"
+          )
+        }
+      })
+    })
+  </script>
+{% endblock %}

theme/overrides/home.en.html

@@ -1,6 +1,7 @@
 {% extends "base.html" %}
 {% block extrahead %}
-  <link rel="stylesheet" href="{{ 'assets/stylesheets/home.css' | url }}">
+  <link rel="preload" href="{{ 'assets/brand/WOFF/bagnard/Bagnard.woff' | url }}" as="font" type="font/woff" crossorigin>
+  <link rel="stylesheet" href="{{ 'assets/stylesheets/home.css?v=2.10.0' | url }}">
   <link rel="me" href="https://aragon.sh/@jonah">
   <link rel="me" href="https://fosstodon.org/@freddy">
   <link rel="me" href="https://mastodon.social/@dngray">

theme/partials/logo.html

@@ -1,2 +1,2 @@
-<img src="/assets/brand/SVG/Logo/privacy-guides-logo-notext.svg#only-light" alt="logo">
-<img src="/assets/brand/SVG/Logo/privacy-guides-logo-notext-darkbg.svg#only-dark" alt="logo">
+<img src="/assets/rainbow-brand/privacy-guides-logo-notext.svg#only-light" alt="logo">
+<img src="/assets/rainbow-brand/privacy-guides-logo-notext-darkbg.svg#only-dark" alt="logo">