Remove magic wormhole (#1588)

Signed-off-by: Daniel Gray <dng@disroot.org>

.github/workflows/crowdin.yml

@@ -14,7 +14,7 @@ jobs:
       uses: actions/checkout@v3
 
     - name: crowdin action
-      uses: crowdin/github-action@1.4.9
+      uses: crowdin/github-action@1.4.10
       with:
         upload_sources: true
         upload_sources_args: '--auto-update --delete-obsolete'

.github/workflows/deploy.yml

@@ -24,12 +24,12 @@ jobs:
           submodules: 'true'
 
       - name: Set up Python runtime
-        uses: actions/setup-python@v3
+        uses: actions/setup-python@v4
         with:
           python-version: '3.7'
       
       - name: Cache files
-        uses: actions/cache@v3.0.3
+        uses: actions/cache@v3.0.5
         with:
           key: ${{ github.ref }}
           path: .cache

.github/workflows/preview.yml

@@ -27,7 +27,7 @@ jobs:
           submodules: 'true'
 
       - name: Set up Python runtime
-        uses: actions/setup-python@v3
+        uses: actions/setup-python@v4
         with:
           python-version: '3.7'
 

README.md

@@ -74,7 +74,7 @@ This website uses [`mkdocs-material-insiders`](https://squidfunk.github.io/mkdoc
     - `git submodule init`
     - `git submodule update docs/assets/brand`
 2. Install [Python 3.6+](https://www.python.org/downloads/)
-3. Install [dependencies](/Pipfile): `pip install mkdocs mkdocs-material mkdocs-static-i18n mkdocs-git-revision-date-localized-plugin mkdocs-minify-plugin typing-extensions`
+3. Install [dependencies](/Pipfile): `pip install mkdocs mkdocs-material mkdocs-static-i18n mkdocs-git-revision-date-localized-plugin mkdocs-minify-plugin mkdocs-rss-plugin typing-extensions`
 4. Serve the site locally: `mkdocs serve`
     - The site will be available at `http://localhost:8000`
     - You can build the site locally with `mkdocs build`

docs/about/donate.en.md

@@ -42,4 +42,4 @@ Privacy Guides is a **non-profit** organization. We use donations for a variety
 
 :   We occasionally purchase products and services for the purposes of testing our [recommended tools](../tools.md).
 
-We are still working with our fiscal host (the Open Collective Foundation) to receive cryptocurrency donations, at the moment the accounting is unfeasible for many smaller transactions, but this should change in the future. In the meantime, if you wish to make a sizable (> $100) cryptocurrency donation please reach out to [jonah@privacyguides.org](mailto:jonah@privacyguides.org).
+We are still working with our fiscal host (the Open Collective Foundation) to receive cryptocurrency donations, at the moment the accounting is unfeasible for many smaller transactions, but this should change in the future. In the meantime, if you wish to make a sizable (> $100) cryptocurrency donation, please reach out to [jonah@privacyguides.org](mailto:jonah@privacyguides.org).

docs/about/notices.en.md

@@ -20,7 +20,7 @@ Unless otherwise noted, all content on this website is made freely available und
 
 This does not include third-party code embedded in this repository, or code where a superseding license is otherwise noted. The following are notable examples, but this list may not be all-inclusive:
 
-* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/docs/javascripts/mathjax.js) is licensed under the [Apache License 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/javascripts/LICENSE.mathjax.txt).
+* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/mathjax.js) is licensed under the [Apache License 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/LICENSE.mathjax.txt).
 
 Portions of this notice itself were adopted from [opensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) on GitHub. That resource and this page itself are released under [CC-BY-4.0](https://github.com/github/opensource.guide/blob/master/LICENSE).
 

docs/advanced/erasing-data.md

@@ -23,7 +23,7 @@ Once you have your boot media, enter your system's UEFI settings and boot from t
 
 ### Flash Storage
 
-For [flash memory](https://en.wikipedia.org/wiki/Flash_memory) (SSD, NVMe etc) devices we suggest the ATA Secure Erase command. Methods such as `nwipe` should not be used on flash storage devices as it may damage their performance. The "Secure Erase" feature is often accessible through the UEFI setup menu.
+For [flash memory](https://en.wikipedia.org/wiki/Flash_memory) (SSD, NVMe, etc) devices we suggest the ATA Secure Erase command. Methods such as `nwipe` should not be used on flash storage devices as it may damage their performance. The "Secure Erase" feature is often accessible through the UEFI setup menu.
 
 It is also possible to complete a Secure Erase using the [`hdparm`](https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase) command, or [Microsoft Secure Group Commands](https://docs.microsoft.com/en-us/windows-hardware/drivers/storage/security-group-commands).
 

docs/advanced/integrating-metadata-removal.en.md

@@ -65,7 +65,7 @@ Shortcuts is quite intuitive to work with, so if you don't like the behavior dem
 ![macOS metadata removal shortcut](../assets/img/integrating-metadata-removal/shortcut-macos.png)
 
 !!! tip "Worth Mentioning"
-    The open source [ImageOptim](https://imageoptim.com/mac) app integrates into Finder's *Services* context menu by default. While it is primarily an image optimization app, it also removes metadata.
+    The open-source [ImageOptim](https://imageoptim.com/mac) app integrates into Finder's *Services* context menu by default. While it is primarily an image optimization app, it also removes metadata.
 
 ### Enabling & using the Shortcut
 
@@ -78,7 +78,7 @@ Shortcuts is quite intuitive to work with, so if you don't like the behavior dem
 
 [Shortcuts](https://support.apple.com/guide/shortcuts/welcome/ios) can be made accessible through the system Share Sheet, making accessing those shortcuts very convenient. This guide will show you how to build a metadata removal shortcut and integrate it into the system *Share Sheet*.
 
-!!! attention
+!!! warning
     This method of metadata removal is not as comprehensive at removing metadata as utilities like [ExifTool](../metadata-removal-tools.md#exiftool) and [mat2](../metadata-removal-tools.md#mat2) are.
 
 The lack of *good* metadata removal apps on the App Store is what makes this solution worthwhile.

docs/advanced/signal-configuration-hardening.en.md

@@ -0,0 +1,260 @@
+---
+title: "Signal Configuration and Hardening"
+icon: 'material/chat-processing'
+---
+
+[Signal](../real-time-communication.md#signal) is a widely regarded instant messaging service that is not only easy to use but is also private and secure. Signal's strong E2EE implementation and metadata protections provide a level of assurance that only you and your intended recipients are able to read communications.
+
+This guide details actions you can take to configure and harden Signal in accordance with your [threat model](../basics/threat-modeling.md).
+
+## Signal Configuration
+
+### Signal PIN
+
+When you register for Signal with your phone number, you will be asked to set up a Signal PIN. This PIN can be used to recover your profile, settings, contacts and who you've blocked in case you ever lose or switch devices.
+
+Additionally, your Signal PIN can also double as a registration lock that prevents others from registering with your number.
+
+!!! attention "Registration Lock"
+
+    The server will not enforce the registration lock after 7 days of inactivity. After that, someone will be able to reset the PIN at registration and register with your phone number. This will wipe the data stored in your Signal account, as it is encrypted by the PIN, but it won't prevent someone from registering with your number provided that they can receive a text on it.
+
+If you haven't set up a Signal PIN, or have previously opted out of setting one up, follow these steps on Android/iOS:
+
+- Select :material-dots-vertical: **Settings** > **Account** > **Signal PIN**
+- Select **Create new PIN**
+
+Signal will prompt you to enter a PIN. We suggest using a strong alphanumeric PIN that can be stored in a [password manager](../passwords.md).
+
+Once you have done that, or if you already have set up a PIN, make sure that **Registration Lock** is also enabled.
+
+- Select :material-dots-vertical: **Settings** > **Account** > **Signal PIN**
+- [x] Turn on **Registration Lock**
+
+!!! Important
+
+    If you forget the PIN and have enabled a registration lock, you may be locked out of your account for up to 7 days.
+
+You can learn more about Signal PIN on [Signal's website](https://support.signal.org/hc/en-us/articles/360007059792-Signal-PIN).
+
+### Safety Numbers
+
+Safety numbers are a feature in Signal that allows you to ensure that messages are delivered securely between verified devices.
+
+It is best practice to always compare safety numbers with your contacts. This can be done in a couple of ways:
+
+- Scanning your contact's QR code while viewing their safety number.
+- Comparing the safety numbers on both ends, be it visually or audibly.
+
+!!! Important
+
+    In order for safety numbers to also verify that the intended recipient has access to the device you're verifying, you need a secondary communication channel where you can authenticate the person that is holding the device. For example, an in-person meeting or during a video call.
+
+To view the safety number for a particular contact, you need to follow these steps within Signal:
+
+- Go to a chat with a contact.
+- Select the chat header or :material-dots-vertical: > **View Safety Number**
+
+Once you've compared the safety numbers on both devices, you can mark that contact as **Verified**.
+
+A checkmark will appear in the chat header by your contact's name when the safety number is marked as verified. It will remain verified unless the safety number changes or you manually change the verification status.
+
+After doing that, any time the safety number changes, you'll be notified.
+
+If the safety number with one of your contacts changes, we recommend asking the contact what happened (if they switched to a new device or re-installed Signal, for example) and verify the safety numbers again.
+
+For more demanding threat models, you should agree on a protocol with your contacts in advance on what to do in case the safety number ever changes.
+
+You can learn more about safety numbers on [Signal's website](https://support.signal.org/hc/en-us/articles/360007060632-What-is-a-safety-number-and-why-do-I-see-that-it-changed-).
+
+### Disappearing Messages
+
+While communication in Signal is E2EE, the messages are still available on the devices, unless they are manually deleted.
+
+It is good practice to set up disappearing messages in Signal's settings so that any chats you start will disappear after a specified amount of time has passed.
+
+On Android/iOS:
+
+- Select :material-dots-vertical: **Settings** > **Privacy**
+- Under **Disappearing messages**, select **Default timer for new chats**
+- Select the desired amount of time and select **Save**
+
+!!! tip "Override the global default for specific contacts"
+
+    - Go to a chat with a contact
+    - Select :material-dots-vertical: on the top right
+    - Select **Disappearing messages**
+    - Select the desired amount of time and select **Save**
+
+We recommend setting up a reasonable timer by default, such as one week, and adjusting it per contact as you see fit.
+
+!!! tip "Snapchat-like Functionality"
+
+    Signal allows you to send "view-once" media that are automatically removed from the conversation after they have been viewed.
+
+### Disable Link Previews
+
+Signal offers the ability to retrieve previews of webpages linked within a conversation.
+
+This means that when you send a link, a request will be sent to that website so that a preview of the website can be displayed alongside the link. Thus, we recommend disabling link previews.
+
+Your recipient doesn't make any requests unless they open the link on their end.
+
+On Android/iOS:
+
+- Select :material-dots-vertical: **Settings** > **Chats**
+- [ ] Turn off **Generate link previews**
+
+### Screen Security
+
+Signal allows you to prevent a preview of the app being shown (i.e., in the app switcher) unless you explicitly open it.
+
+On Android:
+
+- Select :material-dots-vertical: **Settings** > **Privacy**
+- [x] Turn on **Screen Security**
+
+On iOS:
+
+- Select :material-dots-vertical: **Settings** > **Privacy**
+- [x] Turn on **Hide Screen in App Switcher**
+
+### Screen Lock
+
+If someone gets a hold of your device while it is unlocked, you run the risk of them being able to open the Signal app and look at your conversations.
+
+To mitigate this, you can leverage the Screen Lock option to require additional authentication before Signal can be accessed.
+
+On Android/iOS:
+
+- Select :material-dots-vertical: **Settings** > **Privacy**
+- [x] Turn on **Screen Lock**
+
+### Notification Privacy
+
+Even when your phone is locked, anyone who can lay eyes on the device can read messages and sender names from your lock screen.
+
+On Signal, you have the ability to hide message content and sender name, or just the message content itself.
+
+On Android:
+
+- Select :material-dots-vertical: **Settings** > **Notifications**
+- Select **Show**
+- Select **No name or message** or **Name only** respectively.
+
+On iOS:
+
+- Select :material-dots-vertical: **Settings** > **Notifications**
+- Select **Show**
+- Select **No name or Content** or **Name Only** respectively.
+
+### Call Relaying
+
+Signal allows you to relay all calls (including video calls) through the Signal server to avoid revealing your IP address to your contact. This may reduce call quality.
+
+On Android/iOS:
+
+- Select :material-dots-vertical: **Settings** > **Privacy** > **Advanced**
+- [x] Turn on **Always Relay Calls**
+
+For incoming calls from people who are not in your Contacts app, the call will be relayed through the Signal server regardless of how you've set it up.
+
+### Proxy Support
+
+If Signal is blocked in your country, Signal allows you to set up a proxy to bypass it.
+
+!!! Warning
+
+    All traffic remains opaque to the proxy operator. However, the censoring party could learn that you are using Signal through a proxy because the app [fails to route all the IP connections to the proxy](https://community.signalusers.org/t/traffic-not-routed-to-tls-proxies-can-expose-users-to-censors/27479).
+
+You can learn more about Signal's proxy support on their [website](https://support.signal.org/hc/en-us/articles/360056052052-Proxy-Support).
+
+### Keep Your Signal Call History off iCloud (iOS only)
+
+Signal allows you to see your call history from your regular phone app. This allows your iOS device to sync your call history with iCloud, including who you spoke to, when, and for how long.
+
+If you use iCloud and you don’t want to share call history on Signal, confirm it’s turned off:
+
+- Select :material-dots-vertical: **Settings** > **Privacy**
+- [ ] Turn off **Show Calls in Recents**
+
+## Signal Hardening
+
+### Avoid Linking Your Signal Account to a Desktop Device
+
+While it may be tempting to link your Signal account to your desktop device for convenience, keep in mind that this extends your trust to an additional and potentially less secure operating system.
+
+If your threat model calls for it, avoid linking your Signal account to a desktop device to reduce your attack surface.
+
+### Endpoint Security
+
+Signal takes security very seriously, however there is only so much an app can do to protect you.
+
+It is very important to take device security on both ends into account to ensure that your conversations are kept private.
+
+We recommend an up-to-date [GrapheneOS](/android/#grapheneos) or iOS device.
+
+### Hardening Signal with Molly on Android
+
+!!! recommendation
+
+    ![Molly logo](../assets/img/messengers/molly.svg){ align=right }
+
+    **Molly** is a security-focused [Signal](../real-time-communication/#signal) fork that aims to provide extensive hardening and anti-forensic features to people who use Signal.
+
+    [:octicons-home-16: Homepage](https://molly.im/){ .md-button .md-button--primary }
+    [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" }
+    [:octicons-info-16:](https://github.com/mollyim/mollyim-android/wiki){ .card-link title=Documentation}
+    [:octicons-code-16:](https://github.com/mollyim/mollyim-android){ .card-link title="Source Code" }
+    [:octicons-heart-16:](https://opencollective.com/mollyim){ .card-link title=Contribute }
+
+    ??? downloads
+
+         - [:pg-f-droid: F-Droid](https://molly.im/download/fdroid/)
+         - [:fontawesome-brands-github: GitHub](https://github.com/mollyim/mollyim-android/releases)
+
+Molly offers two variants of the app: **Molly** and **Molly-FOSS**.
+
+The former is identical to Signal with the addition of Molly's improvements and security features. The latter, Molly-FOSS, removes Google's proprietary code, which is used for some key features (e.g., [FCM](https://en.wikipedia.org/wiki/Firebase_Cloud_Messaging) and Google Maps integration), in an effort to make it fully open-source.
+
+A comparison of the two versions is available in the [project's repository](https://github.com/mollyim/mollyim-android#readme).
+
+Both versions of Molly support [reproducible builds](https://github.com/mollyim/mollyim-android/tree/main/reproducible-builds), meaning it's possible to confirm that the compiled APKs match the source code.
+
+#### Features
+
+Molly has implemented database encryption at rest, which means that you can encrypt the app's database with a passphrase to ensure that none of its data is accessible without it.
+
+!!! note
+
+    As long as Molly is locked, you will not receive notifications for any incoming messages or calls until you unlock it again.
+
+Once enabled, a configurable lock timer can be set, after which point Molly will lock itself if you haven't unlocked your device for that specific time period. Alternatively, you can manually lock the app whenever you want.
+
+For the database encryption feature to be useful, two conditions must be met:
+
+1. Molly has to be locked at the time an attacker gains access to the device. This can include a physical attack in which the attacker seizes your device and manages to unlock the device itself, or a remote attack, in which the device is compromised and manages to elevate privileges to root.
+1. If you become aware that your device has been compromised, you should not unlock Molly's database.
+
+If both of the above conditions are met, the data within Molly is safe as long as the passphrase is not accessible to the attacker.
+
+To supplement the database encryption feature, Molly securely wipes your device's RAM once the database is locked to defend against forensic analysis.
+
+While Molly is running, your data is kept in RAM. When any app closes, its data remains in RAM until another app takes the same physical memory pages. That can take seconds or days, depending on many factors. To prevent anyone from dumping the RAM to disk and extracting your data after Molly is locked, the app overrides all free RAM memory with random data when you lock the database.
+
+There is also the ability to configure a SOCKS proxy in Molly to route its traffic through the proxy or Tor (via [Orbot](/android/#orbot)). When enabled, all traffic is routed through the proxy and there are no known IP or DNS leaks. When using this feature, [call relaying](#call-relaying) will always be enabled, regardless of the setting.
+
+Signal adds everyone who you have communicated with to its database. Molly allows you to delete those contacts and stop sharing your profile with them.
+
+To supplement the feature above, as well as for additional security and to fight spam, Molly offers the ability to block unknown contacts that you've never been in contact with or those that are not in your contact list without you having to manually block them.
+
+You can find a full list of Molly's [features](https://github.com/mollyim/mollyim-android#features) on the project's repository.
+
+#### Caveats
+
+- Molly does not support SMS messages within the app, unlike the official Signal app.
+- Molly removes Signal's Mobilecoin integration.
+- Molly is updated every two weeks to include the latest features and bug fixes from Signal. The exception is security issues, that are patched as soon as possible. That said, you should be aware that there might be a slight delay compared to upstream.
+- By using Molly, you are extending your trust to another party, as you now need to trust the Signal team, as well as the Molly team.
+
+--8<-- "includes/abbreviations.en.md"

docs/android.en.md

@@ -6,7 +6,7 @@ icon: 'fontawesome/brands/android'
 These are the Android operating systems, devices, and apps we recommend to maximize your mobile device's security and privacy. We also have additional Android-related information:
 
 - [General Android Overview and Recommendations :hero-arrow-circle-right-fill:](android/overview.md)
-- [GrapheneOS vs CalyxOS Comparison :hero-arrow-circle-right-fill:](android/grapheneos-vs-calyxos.md)
+- [Why we recommend GrapheneOS over CalyxOS :hero-arrow-circle-right-fill:](android/grapheneos-vs-calyxos.md)
 
 ## AOSP Derivatives
 
@@ -37,24 +37,6 @@ GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandbox
 
 Google Pixel phones are the only devices that currently meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#device-support).
 
-### CalyxOS
-
-!!! recommendation
-
-    ![CalyxOS logo](assets/img/android/calyxos.svg){ align=right }
-
-    **CalyxOS** is a system with some privacy features on top of AOSP, including [Datura](https://calyxos.org/docs/tech/datura-details) firewall, [Signal](https://signal.org) integration in the dialer app, and a built in panic button. CalyxOS also comes with firmware updates and signed builds, so verified boot is fully supported.
-
-    [:octicons-home-16: Homepage](https://calyxos.org/){ .md-button .md-button--primary }
-    [:octicons-eye-16:](https://calyxinstitute.org/legal/privacy-policy){ .card-link title="Privacy Policy" }
-    [:octicons-info-16:](https://calyxos.org/docs/){ .card-link title=Documentation}
-    [:octicons-code-16:](https://github.com/CalyxOS){ .card-link title="Source Code" }
-    [:octicons-heart-16:](https://members.calyxinstitute.org/donate){ .card-link title=Contribute }
-
-CalyxOS optionally includes [microG](https://microg.org/), a partially open source reimplementation of Play Services which provides broader app compatibility. It also bundles in alternate location services: [Mozilla](https://location.services.mozilla.com/) and [DejaVu](https://github.com/n76/DejaVu).
-
-CalyxOS [supports](https://calyxos.org/docs/guide/device-support/) Google Pixel phones, the OnePlus 8T/9 and the Fairphone 4. We only recommend CalyxOS as a harm reduction measure for the OnePlus 8T, OnePlus 9, and especially the Fairphone 4.
-
 ### DivestOS
 
 !!! recommendation
@@ -79,7 +61,7 @@ DivestOS implements some system hardening patches originally developed for Graph
 
 !!! warning
 
-    DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) and quality control varies across the devices it supports. We still recommend GrapheneOS or CalyxOS depending on your device's compatibility. For other devices, DivestOS is a good alternative.
+    DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) and quality control varies across the devices it supports. We still recommend GrapheneOS depending on your device's compatibility. For other devices, DivestOS is a good alternative.
 
     Not all of the supported devices have verified boot, and some perform it better than others.
 
@@ -89,7 +71,7 @@ When purchasing a device, we recommend getting one as new as possible. The softw
 
 Avoid buying phones from mobile network operators. These often have a **locked bootloader** and do not support [OEM unlocking](https://source.android.com/devices/bootloader/locking_unlocking). These phone variants will prevent you from installing any kind of alternative Android distribution.
 
-Be very **careful** about buying second hand phones from online marketplaces. Always check the reputation of the seller. If the device is stolen there's a possibility of [IMEI blacklisting](https://www.gsma.com/security/resources/imei-blacklisting/). There is also a risk involved with you being associated with the activity of the previous owner.
+Be very **careful** about buying second hand phones from online marketplaces. Always check the reputation of the seller. If the device is stolen, there's a possibility of [IMEI blacklisting](https://www.gsma.com/security/resources/imei-blacklisting/). There is also a risk involved with you being associated with the activity of the previous owner.
 
 A few more tips regarding Android devices and operating system compatibility:
 
@@ -99,7 +81,7 @@ A few more tips regarding Android devices and operating system compatibility:
 
 ### Google Pixel
 
-Google Pixel phones are the **only** devices we recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third party operating systems and Google's custom [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) security chips acting as the Secure Element.
+Google Pixel phones are the **only** devices we recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third-party operating systems and Google's custom [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) security chips acting as the Secure Element.
 
 !!! recommendation
 
@@ -113,7 +95,7 @@ Google Pixel phones are the **only** devices we recommend for purchase. Pixel ph
 
 Secure Elements like the Titan M2 are more limited than the processor's Trusted Execution Environment used by most other phones as they are only used for secrets storage, hardware attestation, and rate limiting, not for running "trusted" programs. Phones without a Secure Element have to use the TEE for *all* of those functions, resulting in a larger attack surface.
 
-Google Pixel phones use a TEE OS called Trusty which is [open source](https://source.android.com/security/trusty#whyTrusty), unlike many other phones.
+Google Pixel phones use a TEE OS called Trusty which is [open-source](https://source.android.com/security/trusty#whyTrusty), unlike many other phones.
 
 The installation of GrapheneOS on a Pixel phone is easy with their [web installer](https://grapheneos.org/install/web). If you don't feel comfortable doing it yourself and are willing to spend a bit of extra money, check out the [NitroPhone](https://shop.nitrokey.com/shop) as they come preloaded with GrapheneOS from the reputable [Nitrokey](https://www.nitrokey.com/about) company.
 
@@ -124,28 +106,6 @@ A few more tips for purchasing a Google Pixel:
 - Look at online community bargain sites in your country. These can alert you to good sales.
 - Google provides a list showing the [support cycle](https://support.google.com/nexus/answer/4457705) for each one of their devices. The price per day for a device can be calculated as: $\text{Cost} \over \text {EOL Date }-\text{ Current Date}$, meaning that the longer use of the device the lower cost per day.
 
-### Other Devices
-
-The following OEMs are only mentioned as they have phones compatible with the operating systems recommended by us. If you are purchasing a new device, we only recommend purchasing a Google Pixel.
-
-#### OnePlus
-
-If you are unable to obtain a Google Pixel, recent OnePlus devices are the next best option if you want to run a custom OS without privileged Play Services. OnePlus 8 and later devices will receive 4 years of security updates from their initial launch date. CalyxOS has [experimental support](https://calyxos.org/news/2022/04/01/fairphone4-oneplus8t-oneplus9-test-builds/) for the **OnePlus 8T** and **9**.
-
-DivestOS has support for most OnePlus devices up to the **OnePlus 7T Pro**, with varying levels of support.
-
-#### Fairphone
-
-!!! danger
-
-    The Fairphone 3 and 4 are not secure by default, as the [stock bootloader trusts the public AVB signing key](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11). This breaks verified boot on a stock Fairphone device, as the system will boot alternative Android operating systems such (such as /e/) [without any warning](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) about custom operating system usage.
-
-    This problem is somewhat mitigated when you install a custom operating system such as CalyxOS or DivestOS and trust the developer's signing keys rather than the stock system keys, however a vulnerability in CalyxOS or DivestOS's recovery environments could still potentially allow an attacker to bypass AVB. **To reiterate, you must install a custom operating system with custom boot keys to use Fairphone devices in a secure manner.**
-
-CalyxOS has [experimental support](https://calyxos.org/news/2022/04/01/fairphone4-oneplus8t-oneplus9-test-builds/) for the **Fairphone 4**. DivestOS has builds available for the **Fairphone 3**.
-
-Fairphone markets their devices as receiving 6 years of support. However, the SoC (Qualcomm Snapdragon 750G on the Fairphone 4) has a considerably shorter EOL date. This means that firmware security updates from Qualcomm for the Fairphone 4 will end in September 2023, regardless of whether Fairphone continues to release software security updates.
-
 ## General Apps
 
 ### Orbot
@@ -198,7 +158,7 @@ For resistance against traffic analysis attacks, consider enabling *Isolate Dest
 
 !!! warning
 
-    As CalyxOS includes a device controller, we recommend using their built in work profile instead.
+    As CalyxOS includes a device controller, we recommend using their built-in work profile instead.
 
     Shelter is recommended over [Insular](https://secure-system.gitlab.io/Insular/) and [Island](https://github.com/oasisfeng/island) as it supports [contact search blocking](https://secure-system.gitlab.io/Insular/faq.html).
 
@@ -211,7 +171,7 @@ For resistance against traffic analysis attacks, consider enabling *Isolate Dest
     ![Auditor logo](assets/img/android/auditor.svg#only-light){ align=right }
     ![Auditor logo](assets/img/android/auditor-dark.svg#only-dark){ align=right }
 
-    **Auditor** is an app which leverages hardware security features to provide device integrity monitoring for [supported devices](https://attestation.app/about#device-support). Currently it works with GrapheneOS and the device's stock operating system.
+    **Auditor** is an app which leverages hardware security features to provide device integrity monitoring for [supported devices](https://attestation.app/about#device-support). Currently, it only works with GrapheneOS and the device's stock operating system.
 
     [:octicons-home-16: Homepage](https://attestation.app){ .md-button .md-button--primary }
     [:octicons-eye-16:](https://attestation.app/privacy-policy){ .card-link title="Privacy Policy" }
@@ -234,7 +194,7 @@ Auditor performs attestation and intrusion detection by:
 
 No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring.
 
-If your [threat model](basics/threat-modeling.md) requires privacy you could consider using Orbot or a VPN to hide your IP address from the attestation service.
+If your [threat model](basics/threat-modeling.md) requires privacy, you could consider using Orbot or a VPN to hide your IP address from the attestation service.
 To make sure that your hardware and operating system is genuine, [perform local attestation](https://grapheneos.org/install/web#verifying-installation) immediately after the device has been installed and prior to any internet connection.
 
 ### Secure Camera
@@ -244,7 +204,7 @@ To make sure that your hardware and operating system is genuine, [perform local
     ![Secure camera logo](assets/img/android/secure_camera.svg#only-light){ align=right }
     ![Secure camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ align=right }
 
-      **Secure Camera** is an camera app focused on privacy and security which can capture images, videos, and QR codes. CameraX vendor extensions (Portrait, HDR, Night Sight, Face Retouch, and Auto) are also supported on available devices.
+      **Secure Camera** is a camera app focused on privacy and security which can capture images, videos and QR codes. CameraX vendor extensions (Portrait, HDR, Night Sight, Face Retouch, and Auto) are also supported on available devices.
 
     [:octicons-repo-16: Repository](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary }
     [:octicons-info-16:](https://grapheneos.org/usage#camera){ .card-link title=Documentation}
@@ -318,11 +278,11 @@ GrapheneOS's app store is available on [GitHub](https://github.com/GrapheneOS/Ap
 
 ### Aurora Store
 
-The Google Play Store requires a Google account to login which is not great for privacy. The [Aurora Store](https://auroraoss.com/download/AuroraStore/) (a Google Play Store proxy) does not, and works most of the time.
+The Google Play Store requires a Google account to login which is not great for privacy. The [Aurora Store](https://auroraoss.com/download/AuroraStore/) (a Google Play Store proxy) does not and works most of the time.
 
 ### F-Droid
 
-F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third party repositories and not be confined to Google's walled garden has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications, and is dedicated to free and open source software. However, there are problems with the official F-Droid client, their quality control, and how they build, sign and deliver packages, outlined in this [post](https://wonderfall.dev/fdroid-issues/).
+F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third-party repositories and not be confined to Google's walled garden has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications and is dedicated to free and open-source software. However, there are problems with the official F-Droid client, their quality control, and how they build, sign and deliver packages, outlined in this [post](https://wonderfall.dev/fdroid-issues/).
 
 Sometimes the official F-Droid repository may fall behind on updates. F-Droid maintainers reuse package IDs while signing apps with their own keys, which is not ideal as it does give the F-Droid team ultimate trust. The Google Play version of some apps may contain unwanted telemetry or lack features that are available in the F-Droid version.
 
@@ -349,7 +309,7 @@ To mitigate these problems, we recommend [Neo Store](https://github.com/NeoAppli
     **Neo Store** is a modern F-Droid client made with MaterialUI, forked from [Foxy Droid](https://github.com/kitsunyan/foxy-droid).
 
     Unlike the official F-Droid client, Neo Store supports seamless updates on Android 12 and above without the need for a privileged extension. If your Android distribution is on Android 12 or above and does not include the [F-Droid privileged extension](https://f-droid.org/en/packages/org.fdroid.fdroid.privileged/), it is highly recommended that you use Neo Store instead of the official client.
-    
+
     [:octicons-repo-16: Repository](https://github.com/NeoApplications/Neo-Store){ .md-button .md-button--primary }
     [:octicons-code-16:](https://github.com/NeoApplications/Neo-Store){ .card-link title="Source Code" }
 

docs/android/grapheneos-vs-calyxos.en.md

@@ -1,12 +1,15 @@
 ---
-title: "GrapheneOS vs CalyxOS"
+title: "Why we recommend GrapheneOS over CalyxOS"
 icon: 'material/cellphone-cog'
 ---
+
+GrapheneOS and CalyxOS are commonly compared as similar options for people looking for an alternative Android OS for their Pixel devices. Below are some of the reasons why we recommend GrapheneOS over CalyxOS.
+
 ## Profiles
 
-CalyxOS includes a device controller app so there is no need to install a third party app like Shelter.
+CalyxOS includes a device controller app so there is no need to install a third-party app like Shelter.
 
-GrapheneOS extends the user profile feature, allowing you to end a current session. To do this, select *End Session* which will clear the encryption key from memory. There are plans to add a [cross profile notifications system](https://github.com/GrapheneOS/os-issue-tracker/issues/88) in the future. GrapheneOS plans to introduce nested profile support with better isolation in the future.
+GrapheneOS extends the user profile feature, allowing you to end a current session. To do this, select *End Session* which will clear the encryption key from memory. GrapheneOS also provides [cross-profile notification forwarding](https://grapheneos.org/features#notification-forwarding). GrapheneOS plans to introduce nested profile support with better isolation in the future.
 
 ## Sandboxed Google Play vs Privileged microG
 
@@ -22,21 +25,23 @@ Local RF location backends like DejaVu require that the phone has a working GPS
 
 If your threat model requires protecting your location or the MAC addresses of nearby devices, rerouting location requests to the OS location API is probably the best option. The benefit brought by microG's custom location backend is minimal at best when compared to Sandboxed Play Services.
 
-In terms of application compatibility, Sandboxed Google Play on GrapheneOS outperforms microG on CalyxOS due to its support for many services which microG has not yet implemented, like [Google Play Games](https://play.google.com/googleplaygames) and [In-app Billing API](https://android-doc.github.io/google/play/billing/api.html). Larger apps, especially games, require Play Delivery to be installed, which is currently not implemented in microG. Authentication using [FIDO](security/multi-factor-authentication#fido-fast-identity-online) with online services on Android also relies on Play Services, and does not currently work with microG.
+In terms of application compatibility, Sandboxed Google Play on GrapheneOS is always going to be more compatible as it is the same code as what is released by Google. microG is a reimplementation of these services. As a result of that it only supports the various parts that have been reimplemented, meaning some things such as [Google Play Games](https://play.google.com/googleplaygames) and [In-app Billing API](https://android-doc.github.io/google/play/billing/api.html) are not yet supported.
 
-[^1]: It should be noted that microG still uses proprietary Google binaries for some of its components such as DroidGuard. Push notifications, if enabled, still go through Google's servers just like with Play Services. Outisde of default microG setups like on CalyxOS, it is possible to run microG in the unprivileged `untrusted app` SELinux domain and without the signature spoofing patch. However, microG's functionality and compatibility, which is already not nearly as broad as Sandboxed Play Services, will greatly diminish.
+Larger apps, especially games, require Play Delivery to be installed, which is currently not implemented in microG. Authentication using [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) with online services on Android also relies on Play Services, and does not currently work with microG.
+
+[^1]: It should be noted that microG still uses proprietary Google binaries for some of its components such as DroidGuard. Push notifications, if enabled, still go through Google's servers just like with Play Services. Outside of default microG setups like on CalyxOS, it is possible to run microG in the unprivileged [`untrusted app`](https://source.android.com/security/selinux/concepts) SELinux domain and without the signature spoofing patch. However, microG's functionality and compatibility, which is already not nearly as broad as Sandboxed Play Services, will greatly diminish.
 
 ## Privileged eSIM Activation Application
 
 Currently, eSIM activation is tied to a privileged proprietary application by Google. The app has the `READ_PRIVILEGED_PHONE_STATE` permission, giving Google access to your hardware identifiers such as the IMEI.
 
-On GrapheneOS, the app comes disabled, and can be *optionally* enabled by the user after they have installed Sandboxed Play Services.
+On GrapheneOS, the app comes disabled and can be *optionally* enabled by the user after they have installed Sandboxed Play Services.
 
-On CalyxOS, the app comes installed by default (regardless of whether you choose to have microG or not) and cannot be opted out. This is particularly problematic, as it means Google still has access to the user's hardware identifiers regardless of whether they even need the eSIM activation or not, and can access them persistently.
+On CalyxOS, the app comes installed by default (regardless of whether you choose to have microG or not) and cannot be opted out. This means Google still has access to your hardware identifiers regardless of whether or not you need eSIM activation and can be accessed persistently.
 
 ## Privileged App Extensions
 
-Android 12 comes with special support for seamless app updates with [third party app stores](https://android-developers.googleblog.com/2020/09/listening-to-developer-feedback-to.html). The popular Free and Open Source Software (FOSS) repository [F-Droid](https://f-droid.org) doesn't implement this feature and requires a [privileged extension](https://f-droid.org/en/packages/org.fdroid.fdroid.privileged) to be included with the Android distribution in order to have unattended app installation.
+Android 12 comes with special support for seamless app updates with [third-party app stores](https://android-developers.googleblog.com/2020/09/listening-to-developer-feedback-to.html). The popular Free and Open-Source Software (FOSS) repository [F-Droid](https://f-droid.org) doesn't implement this feature and requires a [privileged extension](https://f-droid.org/en/packages/org.fdroid.fdroid.privileged) to be included with the Android distribution in order to have unattended app installation.
 
 GrapheneOS does not include F-Droid, because all updates have to be manually installed, which poses a security risk. However, you can use the [Neo Store](../android.md#neo-store) client for F-Droid which does support seamless (background) app updates in Android 12. GrapheneOS officially recommends [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play) instead. Many FOSS Android apps are also in Google Play but sometimes they are not (like [NewPipe](../video-streaming.md)).
 
@@ -46,7 +51,7 @@ CalyxOS includes the [privileged extension](https://f-droid.org/en/packages/org.
 
 GrapheneOS improves upon [AOSP](https://source.android.com/) security with:
 
-- **Hardened WebView:** Vanadium WebView requires [64-bit](https://en.wikipedia.org/wiki/64-bit_computing) processes on the [WebView](https://developer.android.com/reference/android/webkit/WebView) process and disables legacy [32-bit](https://en.wikipedia.org/wiki/32-bit_computing) processes. It uses hardened compiler options such as [`-fwrapv`](https://gcc.gnu.org/onlinedocs/gcc/Code-Gen-Options.html) and [`-fstack-protector-strong`](https://gcc.gnu.org/onlinedocs/gcc-4.9.3/gcc/Optimize-Options.html), which can help protect against [stack buffer overflows](https://en.wikipedia.org/wiki/Stack_buffer_overflow). [API](https://en.wikipedia.org/wiki/API)s such as the [battery status API](https://chromestatus.com/feature/4537134732017664) are disabled for privacy reasons. All system apps on GrapheneOS use the Vanadium WebView which means that apps which use WebView will also benefit from Vanadium's hardening. The [Vanadium patch set](https://github.com/GrapheneOS/Vanadium/tree/12/patches) is a lot more comprehensive than CalyxOS's [Chromium patch set](https://gitlab.com/CalyxOS/chromium-patches) which is derived from it.
+- **Hardened WebView:** Vanadium WebView requires [64-bit](https://en.wikipedia.org/wiki/64-bit_computing) processes on the [WebView](https://developer.android.com/reference/android/webkit/WebView) process and disables legacy [32-bit](https://en.wikipedia.org/wiki/32-bit_computing) processes. It uses hardened compiler options such as [`-fwrapv`](https://gcc.gnu.org/onlinedocs/gcc/Code-Gen-Options.html) and [`-fstack-protector-strong`](https://gcc.gnu.org/onlinedocs/gcc-4.9.3/gcc/Optimize-Options.html), which can help protect against [stack buffer overflows](https://en.wikipedia.org/wiki/Stack_buffer_overflow). [API](https://en.wikipedia.org/wiki/API)s such as the [battery status API](https://chromestatus.com/feature/4537134732017664) are disabled for privacy reasons. All system apps on GrapheneOS use the Vanadium WebView which means that apps which use WebView will also benefit from Vanadium's hardening. The [Vanadium patch set](https://github.com/GrapheneOS/Vanadium) is a lot more comprehensive than CalyxOS's [Chromium patch set](https://gitlab.com/CalyxOS/chromium-patches) which is derived from it.
 - **Hardened Kernel:** GrapheneOS kernel includes some hardening from the [linux-hardened](https://github.com/GrapheneOS/linux-hardened) project and the [Kernel Self Protection Project (KSPP)](https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project). CalyxOS uses the [same kernel](https://calyxos.org/docs/development/build/kernel/) as regular Android with some minor modifications.
 - **Hardened Memory Allocator:** GrapheneOS uses the [hardened malloc](https://github.com/GrapheneOS/hardened_malloc) subproject as its memory allocator. This focuses on hardening against [memory heap corruption](https://en.wikipedia.org/wiki/Memory_corruption). CalyxOS uses the default AOSP [Scudo Malloc](https://source.android.com/devices/tech/debug/scudo), which is generally [less effective](https://twitter.com/danielmicay/status/1033671709197398016). Hardened Malloc has uncovered vulnerabilities in AOSP which have been [fixed](https://github.com/GrapheneOS/platform_system_core/commit/be11b59725aa6118b0e1f0712572e835c3d50746) by GrapheneOS such as [CVE-2021-0703](https://nvd.nist.gov/vuln/detail/CVE-2021-0703).
 - **Secure Exec Spawning:** GrapheneOS [spawns](https://en.wikipedia.org/wiki/Spawn_(computing)) fresh processes as opposed to using the [Zygote model](https://ayusch.com/android-internals-the-android-os-boot-process) used by AOSP and CalyxOS. The Zygote model weakens [Address Space Layout Randomization](https://en.wikipedia.org/wiki/Address_space_layout_randomization) (ASLR) and is considered [less secure](https://wenke.gtisc.gatech.edu/papers/morula.pdf). Creating [fresh processes](https://grapheneos.org/usage#exec-spawning) is safer but will have some performance penalty when launching a new application. These penalties are not really noticeable unless you have an [old device](https://support.google.com/nexus/answer/4457705) with slow storage such as the Pixel 3a/3a XL as it has [eMMC](https://en.wikipedia.org/wiki/MultiMediaCard#eMMC).

docs/android/overview.en.md

@@ -6,9 +6,9 @@ Android is a secure operating system that has strong [app sandboxing](https://so
 
 ## Choosing an Android Distribution
 
-When you buy an Android phone, the device's default operating system often comes with invasive integration with apps and services that are not part of the [Android Open Source Project](https://source.android.com/). An example of such is Google Play Services, which has unrevokable privileges to access your files, contacts storage, call logs, SMS messages, location, camera, microphone, hardware identifiers, and so on. These apps and services increase the attack surface of your device and are the source of various privacy concerns with Android.
+When you buy an Android phone, the device's default operating system often comes with invasive integration with apps and services that are not part of the [Android Open-Source Project](https://source.android.com/). An example of such is Google Play Services, which has irrevocable privileges to access your files, contacts storage, call logs, SMS messages, location, camera, microphone, hardware identifiers, and so on. These apps and services increase the attack surface of your device and are the source of various privacy concerns with Android.
 
-This problem could be solved by using a custom Android distribution that does not come with such invasive integration. Unfortunately, many custom Android distributions often violate the Android security model by not supporting critical security features such as AVB, rollback protection, firmware updates, and so on. Some distributions also ship [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) builds which expose root via [ADB](https://developer.android.com/studio/command-line/adb) and require [more permissive](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) SELinux policies to accomodate debugging features, resulting in a further increased attack surface and weakened security model.
+This problem could be solved by using a custom Android distribution that does not come with such invasive integration. Unfortunately, many custom Android distributions often violate the Android security model by not supporting critical security features such as AVB, rollback protection, firmware updates, and so on. Some distributions also ship [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) builds which expose root via [ADB](https://developer.android.com/studio/command-line/adb) and require [more permissive](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) SELinux policies to accommodate debugging features, resulting in a further increased attack surface and weakened security model.
 
 Ideally, when choosing a custom Android distribution, you should make sure that it upholds the Android security model. At the very least, the distribution should have production builds, support for AVB, rollback protection, timely firmware and operating system updates, and SELinux in [enforcing mode](https://source.android.com/security/selinux/concepts#enforcement_levels). All of our recommended Android distributions satisfy these criteria.
 
@@ -18,7 +18,7 @@ Ideally, when choosing a custom Android distribution, you should make sure that
 
 [Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) Android phones can decrease security significantly as it weakens the complete [Android security model](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful Verified Boot. Apps that require root will also modify the system partition meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the [attack surface](https://en.wikipedia.org/wiki/Attack_surface) of your device and may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) vulnerabilities and SELinux policy bypasses.
 
-Adblockers which modify the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway) and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For Adblocking we suggest encrypted [DNS](../dns.md) or [VPN](../vpn.md) server blocking solutions instead. RethinkDNS, TrackerControl and AdAway in non-root mode will take up the VPN slot (by using a local loopback VPN) preventing you from using privacy enhancing services such as Orbot or a real VPN server.
+Adblockers, which modify the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway) and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For Adblocking we suggest encrypted [DNS](../dns.md) or [VPN](../vpn.md) server blocking solutions instead. RethinkDNS, TrackerControl and AdAway in non-root mode will take up the VPN slot (by using a local loopback VPN) preventing you from using privacy enhancing services such as Orbot or a real VPN server.
 
 AFWall+ works based on the [packet filtering](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) approach and may be bypassable in some situations.
 
@@ -30,33 +30,40 @@ We do not believe that the security sacrifices made by rooting a phone are worth
 
 Android 10 and above has moved away from full-disk encryption to more flexible [file-based encryption](https://source.android.com/security/encryption/file-based). Your data is encrypted using unique encryption keys, and the operating system files are left unencrypted.
 
-Verified Boot ensures the integrity of the operating system files, thereby preventing an adversary with physical access from tampering or installing malware on the device. In the unlikely case that malware is able to exploit other parts of the system and gain higher privileged access, Verified Boot will prevent and revert changes to the system partition upon rebooting device.
+Verified Boot ensures the integrity of the operating system files, thereby preventing an adversary with physical access from tampering or installing malware on the device. In the unlikely case that malware is able to exploit other parts of the system and gain higher privileged access, Verified Boot will prevent and revert changes to the system partition upon rebooting the device.
 
-Unfortunately, OEMs are only obliged to support Verified Boot on their stock Android distribution. Only a few OEMs such as Google support custom AVB key enrollment on their devices. Additionally, some AOSP derivatives such as LineageOS or /e/ OS do not support Verified Boot even on hardware with Verified Boot support for third party operating systems. We recommend that you check for support **before** purchasing a new device. AOSP derivatives which do not support Verified Boot are **not** recommended.
+Unfortunately, OEMs are only obliged to support Verified Boot on their stock Android distribution. Only a few OEMs such as Google support custom AVB key enrollment on their devices. Additionally, some AOSP derivatives such as LineageOS or /e/ OS do not support Verified Boot even on hardware with Verified Boot support for third-party operating systems. We recommend that you check for support **before** purchasing a new device. AOSP derivatives which do not support Verified Boot are **not** recommended.
+
+Many OEMs also have broken implementation of Verified Boot that you have to be aware of beyond their marketing. For example, the Fairphone 3 and 4 are not secure by default, as the [stock bootloader trusts the public AVB signing key](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11). This breaks verified boot on a stock Fairphone device, as the system will boot alternative Android operating systems such (such as /e/) [without any warning](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) about custom operating system usage.
 
 ## Firmware Updates
 
-Firmware updates are critical for maintaining security and without them your device cannot be secure. OEMs have support agreements with their partners to provide the closed source components for a limited support period. These are detailed in the monthly [Android Security Bulletins](https://source.android.com/security/bulletin).
+Firmware updates are critical for maintaining security and without them your device cannot be secure. OEMs have support agreements with their partners to provide the closed-source components for a limited support period. These are detailed in the monthly [Android Security Bulletins](https://source.android.com/security/bulletin).
 
-As the components of the phone such as the processor and radio technologies rely on closed source components, the updates must be provided by the respective manufacturers. Therefore it is important that you purchase a device within an active support cycle. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) and [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) support their devices for 4 years, while cheaper products often have shorter support cycles. With the introduction of the [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google now makes their own SoC and they will provide a minimum of 5 years of support.
+As the components of the phone, such as the processor and radio technologies rely on closed-source components, the updates must be provided by the respective manufacturers. Therefore, it is important that you purchase a device within an active support cycle. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) and [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) support their devices for 4 years, while cheaper products often have shorter support cycles. With the introduction of the [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google now makes their own SoC and they will provide a minimum of 5 years of support.
 
 EOL devices which are no longer supported by the SoC manufacturer cannot receive firmware updates from OEM vendors or after market Android distributors. This means that security issues with those devices will remain unfixed.
 
+Fairphone, for example, markets their devices as receiving 6 years of support. However, the SoC (Qualcomm Snapdragon 750G on the Fairphone 4) has a considerably shorter EOL date. This means that firmware security updates from Qualcomm for the Fairphone 4 will end in September 2023, regardless of whether Fairphone continues to release software security updates.
+
 ## Android Versions
 
 It's important to not use an [end-of-life](https://endoflife.date/android) version of Android. Newer versions of Android not only receive security updates for the operating system but also important privacy enhancing updates too. For example, [prior to Android 10](https://developer.android.com/about/versions/10/privacy/changes), any apps with the [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) permission could access sensitive and unique serial numbers of your phone such as [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), your SIM card's [IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity), whereas now they must be system apps to do so. System apps are only provided by the OEM or Android distribution.
 
 ## Android Permissions
 
-[Permissions on Android](https://developer.android.com/guide/topics/permissions/overview) grant you control over what apps are allowed to access. Google regularly makes [improvements](https://developer.android.com/about/versions/11/privacy/permissions) on the permission system in each successive version. All apps you install are strictly [sandboxed](https://source.android.com/security/app-sandbox), therefore there is no need to install any antivirus apps. The savings you make from not purchasing or subscribing to security apps is better spent on paying for a supported device in the future.
+[Permissions on Android](https://developer.android.com/guide/topics/permissions/overview) grant you control over what apps are allowed to access. Google regularly makes [improvements](https://developer.android.com/about/versions/11/privacy/permissions) on the permission system in each successive version. All apps you install are strictly [sandboxed](https://source.android.com/security/app-sandbox), therefore, there is no need to install any antivirus apps. A smartphone with the latest version of Android will always be more secure than an old smartphone with an antivirus that you have paid for. It's better not to pay for antivirus software and to save money to buy a new smartphone such as a Google Pixel.
 
-Should you want to run an app that you're unsure about, consider using a user or work [profile](android/#android-security-privacy).
+Should you want to run an app that you're unsure about, consider using a user or work profile.
+
+## Media Access
+Quite a few applications allows you to "share" a file with them for media upload. If you want to, for example, tweet a picture to Twitter, do not grant Twitter access to your "media and photos", because it will have access to all of your pictures then. Instead, go to your file manager (documentsUI), hold onto the picture, then share it with Twitter.
 
 ## User Profiles
 
 Multiple user profiles can be found in **Settings** → **System** → **Multiple users** and are the simplest way to isolate in Android.
 
-With user profiles, you can impose restrictions on a specific profile, such as: making calls, using SMS, or installing apps on the device. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles is a more secure method of isolation.
+With user profiles, you can impose restrictions on a specific profile, such as: making calls, using SMS, or installing apps on the device. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles are a more secure method of isolation.
 
 ## Work Profile
 
@@ -70,7 +77,7 @@ This method is generally less secure than a secondary user profile; however, it
 
 ## VPN Killswitch
 
-Android 7 and above supports a VPN killswitch and it is available without the need to install third party apps. This feature can prevent leaks if the VPN is disconnected. It can be found in (:gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**).
+Android 7 and above supports a VPN killswitch and it is available without the need to install third-party apps. This feature can prevent leaks if the VPN is disconnected. It can be found in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**.
 
 ## Global Toggles
 
@@ -86,8 +93,8 @@ If you have a Google account we suggest enrolling in the [Advanced Protection Pr
 
 The Advanced Protection Program provides enhanced threat monitoring and enables:
 
-- Stricter two factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp), and [OAuth](https://en.wikipedia.org/wiki/OAuth)
-- Only Google and verified third party apps can access account data
+- Stricter two factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth)
+- Only Google and verified third-party apps can access account data
 - Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts
 - Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome
 - Stricter recovery process for accounts with lost credentials
@@ -119,7 +126,7 @@ You will either be given the option to delete your advertising ID or to *Opt out
 
 ### SafetyNet and Play Integrity API
 
-[SafetyNet](https://developer.android.com/training/safetynet/attestation) and the [Play Integrity APIs](https://developer.android.com/google/play/integrity) are generally used for [banking apps](https://grapheneos.org/usage#banking-apps). Many banking apps will work fine in GrapheneOS with sandboxed Play services, however some non-financal apps have their own crude anti-tampering mechanisms which might fail. GrapheneOS passes the `basicIntegrity` check, but not the certification check `ctsProfileMatch`. Devices with Android 8 or later have hardware attestation support which cannot be bypassed without leaked keys or serious vulnerabilities.
+[SafetyNet](https://developer.android.com/training/safetynet/attestation) and the [Play Integrity APIs](https://developer.android.com/google/play/integrity) are generally used for [banking apps](https://grapheneos.org/usage#banking-apps). Many banking apps will work fine in GrapheneOS with sandboxed Play services, however some non-financial apps have their own crude anti-tampering mechanisms which might fail. GrapheneOS passes the `basicIntegrity` check, but not the certification check `ctsProfileMatch`. Devices with Android 8 or later have hardware attestation support which cannot be bypassed without leaked keys or serious vulnerabilities.
 
 As for Google Wallet, we don't recommend this due to their [privacy policy](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), which states you must opt-out if you don't want your credit rating and personal information shared with affiliate marketing services.
 

docs/assets/img/android/calyxos.svg

@@ -1,2 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<svg width="128" height="128" version="1.1" viewBox="0 0 33.867 33.867" xmlns="http://www.w3.org/2000/svg"><g transform="matrix(.43429 0 0 .43429 -102.24 -35.595)" stroke-width=".26458"><path d="m313.4 119.93c-7.7343 13.52-22.298 22.631-38.991 22.631-16.692 0-31.256-9.1114-38.991-22.631 7.7346-13.521 22.299-22.632 38.991-22.632 16.693 0 31.257 9.1115 38.991 22.632" fill="#9acc01"/><path d="m298.61 144.6-6.8334-12.569c2.364-3.4422 3.7478-7.6102 3.7478-12.101 0-11.819-9.5811-21.4-21.4-21.4-11.819 0-21.4 9.5806-21.4 21.4 0 11.819 9.5811 21.4 21.4 21.4 4.4736 0 8.6265-1.3727 12.061-3.7206l12.422 6.9937z" fill="#231f20"/><path d="m284.91 125.24c0 5.7915-4.7106 10.502-10.502 10.502-5.7915 0-10.502-4.7106-10.502-10.502v-12.917c0-0.80301 0.65352-1.456 1.4565-1.456 0.80275 0 1.456 0.65299 1.456 1.456v7.8192c0 0.4236 0.34263 0.76623 0.76702 0.76623 8e-3 0 0.0167-2e-3 0.0257-2e-3s0.0164 2e-3 0.0251 2e-3c0.4236 0 0.7665-0.34263 0.7665-0.76623v-11.856c0-0.80354 0.65299-1.4571 1.4565-1.4571s1.4565 0.65352 1.4565 1.4571v11.166c0 0.42387 0.34343 0.76624 0.76677 0.76624 0.42254 0 0.76623-0.34264 0.76623-0.76624v-13.875c0-0.80301 0.65378-1.4555 1.4563-1.4555 0.80354 0 1.4568 0.65246 1.4568 1.4555v13.773c0 0.42413 0.34317 0.76703 0.7665 0.76703 0.42307 0 0.7665-0.34317 0.7665-0.76703v-11.37c0-0.80327 0.65352-1.4565 1.4565-1.4565 0.80327 0 1.456 0.65352 1.456 1.4565v14.555c-1.7436 0.16219-5.8518 1.0464-7.543 5.7222-0.14366 0.39793 0.0622 0.83767 0.46038 0.9824 0.0857 0.031 0.1741 0.0455 0.26009 0.0455 0.31379 0 0.60748-0.19474 0.72125-0.50536 1.7732-4.903 6.6273-4.7546 6.8313-4.7464l0.80354 0.0386v-8.0939c0-0.80301 0.7112-1.4565 1.5843-1.4565 0.87392 0 1.5841 0.65352 1.5841 1.4565v9.2625zm-1.5841-12.253c-0.57864 0-1.1192 0.15557-1.5843 0.41963v-5.4277c0-1.6486-1.3409-2.9901-2.9895-2.9901-0.53314 0-1.0327 0.14261-1.4666 0.38761-0.10398-1.555-1.3991-2.789-2.98-2.789-1.6484 0-2.9893 1.3409-2.9893 2.989v0.10001c-0.4318-0.2413-0.92763-0.381-1.4565-0.381-1.6481 0-2.9893 1.3409-2.9893 2.9901v1.4594c-0.44344-0.26035-0.95752-0.41222-1.5079-0.41222-1.6486 0-2.99 1.3404-2.99 2.9893v12.917c0 6.636 5.3991 12.035 12.036 12.035 6.636 0 12.035-5.3991 12.035-12.035v-9.2631c0-1.6484-1.3981-2.9893-3.1171-2.9893" fill="#9acc01"/></g></svg>

docs/assets/img/browsers/bromite.svg

@@ -1,2 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<svg width="128" height="128" version="1.1" viewBox="0 0 33.866 33.866" xmlns="http://www.w3.org/2000/svg"><g transform="matrix(1.9999 0 0 1.9999 -.00028793 -560.11)"><g transform="matrix(.1411 0 0 .1411 -22.448 274.09)"><g transform="matrix(6.5975,0,0,6.5975,-881.57,-908.75)"><path d="m166.76 148.57v2.8e-4c-0.0731 1e-3 -0.14646 3e-3 -0.21965 6e-3 -2.0814 0.0983-3.9695 1.2488-5.0113 3.0532-0.27591 0.47789-0.47972 0.97776-0.61543 1.4866 1.8658 0.19779 3.5534 0.93382 4.9049 2.0531 2.7603 1.8081 5.5017 1.1662 7.0499 0.51897 0.40336-2.4423-0.70912-4.988-2.9792-6.2988-0.95179-0.54962-2.0328-0.83212-3.1292-0.81971z" fill="#d0f6ed" stroke-width=".14568"/><path d="m166.59 152.15c-1.5641 9.9e-4 -2.9951 0.51259-3.7051 1.324 0.94324 0.3021 1.8146 0.75292 2.5877 1.3259-1.2e-4 -3.9e-4 -1.6e-4 -1e-3 -2.9e-4 -1e-3 1.3493-0.74086 3.1114-1.2154 4.6422-1.5091-0.75982-0.70753-2.0913-1.1376-3.5245-1.1388v-5.6e-4z" fill="#4de564" stroke-width=".27973"/><path d="m172.56 152.93c-1.6055 0.16301-4.8923 0.66396-7.0864 1.8687 0.12815 0.095 0.25361 0.19321 0.37621 0.29474 2.6929 1.7639 5.3671 1.1376 6.8778 0.50616 0.14847-0.89893 0.0864-1.8121-0.16739-2.6696z" fill="#06c23c" stroke-width=".38858"/><path d="m170.2 144.17c-0.297-8e-3 -0.58809 0.14301-0.74764 0.41937l-0.15266 0.26436c-0.23207 0.40197-0.0953 0.91236 0.30665 1.1444l0.0712 0.0411-0.6784 1.175c-0.68491-0.19996-1.3964-0.30489-2.1144-0.30964l-3e-4 -2.9e-4c-0.13829-9.1e-4 -0.27683 2e-3 -0.41545 8e-3 -2.6278 0.12414-5.0122 1.5767-6.3272 3.8551-2.1338 3.6958-0.86761 8.4218 2.8282 10.556 3.696 2.1338 8.4218 0.86727 10.556-2.8288 1.8213-3.155 1.1646-7.0602-1.3656-9.463l0.67518-1.1694 0.0706 0.0407c0.40198 0.23207 0.91244 0.0953 1.1445-0.30665l0.15259-0.26436c0.23207-0.40197 0.0953-0.91243-0.30665-1.1445l-3.2996-1.905c-0.12562-0.0725-0.26181-0.10907-0.3968-0.11272zm-3.434 4.6336c1.0696-0.0121 2.1243 0.26346 3.0528 0.79964 2.2146 1.2787 3.1576 3.6198 2.7641 6.0024-1.5104 0.63142-4.0427 1.1156-6.7355-0.6483-1.3185-1.0919-2.8225-1.6679-4.6427-1.8609 0.13239-0.49643 0.33106-0.98387 0.60022-1.4501 1.0163-1.7604 2.7165-2.7406 4.7469-2.8365 0.0714-3e-3 0.14275-5e-3 0.21406-6e-3z" fill="#25935e" stroke-width=".28021"/></g></g></g></svg>

docs/assets/img/calendar-contacts/decsync.svg

@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" width="128" height="128" version="1.1" viewBox="0 0 33.867 33.867"><g transform="scale(.71111)"><rect width="47.494" height="47.494" x=".066" y=".066" style="-inkscape-stroke:none;fill-rule:evenodd;fill:#0277bd;font-variation-settings:normal;stop-color:#000;stroke-width:.13102;stroke:#0277bd"/><g transform="matrix(.11719 0 0 .11736 26.539 14.264)" style="fill:#fff;stroke:#fff"><circle cx="-22.301" cy="79.286" r="153.93" style="opacity:0;paint-order:markers stroke fill;stroke-width:2.84"/><g style="fill:#fff;stroke:#fff"><path d="m130.21 77.865v1.4199c0 69.032-46.356 129.44-113.04 147.31s-137.03-11.271-171.54-71.055l-0.70898-1.2305-2.459 1.4199 0.70899 1.2305c35.152 60.884 106.83 90.575 174.74 72.379s115.14-79.749 115.14-150.05v-1.4199z" style="color-rendering:auto;color:#000;dominant-baseline:auto;fill:#fff;font-feature-settings:normal;font-variant-alternates:normal;font-variant-caps:normal;font-variant-ligatures:normal;font-variant-numeric:normal;font-variant-position:normal;image-rendering:auto;isolation:auto;mix-blend-mode:normal;paint-order:markers stroke fill;shape-padding:0;shape-rendering:auto;solid-color:#000;stroke-linecap:square;stroke-linejoin:round;stroke-width:20.386;stroke:#fff;text-decoration-color:#000;text-decoration-line:none;text-decoration-style:solid;text-indent:0;text-orientation:mixed;text-transform:none;white-space:normal"/><path d="m131.62 66.176 11.36 19.653h-22.72z" style="fill-rule:evenodd;fill:#fff;stroke-width:20.386;stroke:#fff"/></g><g style="fill:#fff;stroke:#fff"><path d="m130.21 77.865v1.4199c0 69.032-46.356 129.44-113.04 147.31s-137.03-11.271-171.54-71.055l-0.70898-1.2305-2.459 1.4199 0.70899 1.2305c35.152 60.884 106.83 90.575 174.74 72.379s115.14-79.749 115.14-150.05v-1.4199z" transform="rotate(180 -22.116 79.492)" style="color-rendering:auto;color:#000;dominant-baseline:auto;fill:#fff;font-feature-settings:normal;font-variant-alternates:normal;font-variant-caps:normal;font-variant-ligatures:normal;font-variant-numeric:normal;font-variant-position:normal;image-rendering:auto;isolation:auto;mix-blend-mode:normal;paint-order:markers stroke fill;shape-padding:0;shape-rendering:auto;solid-color:#000;stroke-linecap:square;stroke-linejoin:round;stroke-width:20.386;stroke:#fff;text-decoration-color:#000;text-decoration-line:none;text-decoration-style:solid;text-indent:0;text-orientation:mixed;text-transform:none;white-space:normal"/><path d="m131.62 66.176 11.36 19.653h-22.72z" transform="rotate(180 -22.116 79.492)" style="fill-rule:evenodd;fill:#fff;stroke-width:20.386;stroke:#fff"/></g></g><g style="fill:#fff"><path d="m5.0271 0.79375h-0.26458v-0.52917h-0.52917v0.52917h-2.1167v-0.52917h-0.52917v0.52917h-0.26458a0.52917 0.52917 0 0 0-0.52917 0.52917v3.7042a0.52917 0.52917 0 0 0 0.52917 0.52917h3.7042c0.29104 0 0.52917-0.23812 0.52917-0.52917v-3.7042c0-0.29104-0.23812-0.52917-0.52917-0.52917zm-1.8521 0.79375c0.43921 0 0.79375 0.35454 0.79375 0.79375s-0.35454 0.79375-0.79375 0.79375-0.79375-0.35454-0.79375-0.79375 0.35454-0.79375 0.79375-0.79375zm1.5875 3.175h-3.175v-0.26458c0-0.52917 1.0583-0.82021 1.5875-0.82021s1.5875 0.29104 1.5875 0.82021z" transform="matrix(4.4012 0 0 4.4076 9.7615 10.587)" style="fill:#fff;stroke-width:.26458"/></g></g></svg>

docs/assets/img/calendar-contacts/nextcloud.svg

@@ -1,2 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<svg width="128" height="128" version="1.1" viewBox="0 0 33.867 33.867" xmlns="http://www.w3.org/2000/svg"><path id="XMLID_107_" d="m16.959 5.8379c-3.5104 0-6.4858 2.3798-7.408 5.6042-0.80146-1.7103-2.5382-2.9085-4.5387-2.9085-2.7511 0-5.0126 2.2615-5.0126 5.0126 0 2.7511 2.2615 5.0137 5.0126 5.0137 2.0005 0 3.7373-1.1989 4.5387-2.9095 0.92217 3.2246 3.8975 5.6053 7.408 5.6053 3.4845 0 6.4447-2.3447 7.3904-5.533 0.81627 1.6717 2.5316 2.8372 4.5036 2.8372 2.7511 0 5.0137-2.2625 5.0137-5.0137 0-2.7511-2.2625-5.0126-5.0137-5.0126-1.9721 0-3.6874 1.1647-4.5036 2.8362-0.94575-3.188-3.9059-5.532-7.3904-5.532zm0 2.9425c2.65 0 4.7669 2.1159 4.7669 4.7659 0 2.65-2.1169 4.7669-4.7669 4.7669-2.65 0-4.7659-2.1169-4.7659-4.7669 0-2.65 2.1159-4.7659 4.7659-4.7659zm-11.947 2.6958c1.161 0 2.0711 0.90908 2.0711 2.0701 0 1.161-0.91012 2.0711-2.0711 2.0711-1.161 0-2.0701-0.91012-2.0701-2.0711 0-1.161 0.90909-2.0701 2.0701-2.0701zm23.841 0c1.161 0 2.0711 0.90908 2.0711 2.0701 0 1.161-0.91012 2.0711-2.0711 2.0711-1.161 0-2.0701-0.91012-2.0701-2.0711 0-1.161 0.90909-2.0701 2.0701-2.0701z" color="#000000" color-rendering="auto" fill="#0082c9" image-rendering="auto" shape-rendering="auto" solid-color="#000000" style="isolation:auto;mix-blend-mode:normal;text-decoration-color:#000000;text-decoration-line:none;text-decoration-style:solid;text-indent:0;text-transform:none;white-space:normal"/><g transform="matrix(.13987 0 0 .13987 3.3867 17.958)" fill="#0082c9"><path id="XMLID_121_" d="m37.67 48.9c5.9 0 9.2 4.2 9.2 10.5 0 0.6-0.5 1.1-1.1 1.1h-15.9c0.1 5.6 4 8.8 8.5 8.8 2.8 0 4.8-1.2 5.8-2 0.6-0.4 1.1-0.3 1.4 0.3l0.3 0.5c0.3 0.5 0.2 1-0.3 1.4-1.2 0.9-3.8 2.4-7.3 2.4-6.5 0-11.5-4.7-11.5-11.5 0.1-7.2 4.9-11.5 10.9-11.5zm6.1 9.4c-0.2-4.6-3-6.9-6.2-6.9-3.7 0-6.9 2.4-7.6 6.9z"/><path id="XMLID_119_" d="m76.9 52.1v-7.7c0-0.7 0.4-1.1 1.1-1.1h0.8c0.7 0 1 0.4 1 1.1v5.2h4.5c0.7 0 1.1 0.4 1.1 1.1v0.3c0 0.7-0.4 1-1.1 1h-4.5v11c0 5.1 3.1 5.7 4.8 5.8 0.9 0.1 1.2 0.3 1.2 1.1v0.6c0 0.7-0.3 1-1.2 1-4.8 0-7.7-2.9-7.7-8.1z"/><path id="XMLID_117_" d="m99.8 48.9c3.8 0 6.2 1.6 7.3 2.5 0.5 0.4 0.6 0.9 0.1 1.5l-0.3 0.5c-0.4 0.6-0.9 0.6-1.5 0.2-1-0.7-2.9-2-5.5-2-4.8 0-8.6 3.6-8.6 8.9 0 5.2 3.8 8.8 8.6 8.8 3.1 0 5.2-1.4 6.2-2.3 0.6-0.4 1-0.3 1.4 0.3l0.3 0.4c0.3 0.6 0.2 1-0.3 1.5-1.1 0.9-3.8 2.8-7.8 2.8-6.5 0-11.5-4.7-11.5-11.5 0.1-6.8 5.1-11.6 11.6-11.6z"/><path id="XMLID_115_" d="m113.1 41.8c0-0.7-0.4-1.1 0.3-1.1h0.8c0.7 0 1.8 0.4 1.8 1.1v23.9c0 2.8 1.3 3.1 2.3 3.2 0.5 0 0.9 0.3 0.9 1v0.7c0 0.7-0.3 1.1-1.1 1.1-1.8 0-5-0.6-5-5.4z"/><path id="XMLID_112_" d="m133.6 48.9c6.4 0 11.6 4.9 11.6 11.4 0 6.6-5.2 11.6-11.6 11.6s-11.6-5-11.6-11.6c0-6.5 5.2-11.4 11.6-11.4zm0 20.4c4.7 0 8.5-3.8 8.5-9 0-5-3.8-8.7-8.5-8.7s-8.6 3.8-8.6 8.7c0.1 5.1 3.9 9 8.6 9z"/><path id="XMLID_109_" d="m183.5 48.9c5.3 0 7.2 4.4 7.2 4.4h0.1s-0.1-0.7-0.1-1.7v-9.9c0-0.7-0.3-1.1 0.4-1.1h0.8c0.7 0 1.8 0.4 1.8 1.1v28.5c0 0.7-0.3 1.1-1 1.1h-0.7c-0.7 0-1.1-0.3-1.1-1v-1.7c0-0.8 0.2-1.4 0.2-1.4h-0.1s-1.9 4.6-7.6 4.6c-5.9 0-9.6-4.7-9.6-11.5-0.2-6.8 3.9-11.4 9.7-11.4zm0.1 20.4c3.7 0 7.1-2.6 7.1-8.9 0-4.5-2.3-8.8-7-8.8-3.9 0-7.1 3.2-7.1 8.8 0.1 5.4 2.9 8.9 7 8.9z"/><path id="XMLID_103_" d="m1 71.4h0.8c0.7 0 1.1-0.4 1.1-1.1v-21.472c0-3.4 3.7-5.8277 7.9-5.8277s7.9 2.4277 7.9 5.8277v21.472c0 0.7 0.4 1.1 1.1 1.1h0.8c0.7 0 1-0.4 1-1.1v-21.6c0-5.7-5.7-8.5-10.9-8.5-5 0-10.7 2.8-10.7 8.5v21.6c0 0.7 0.3 1.1 1 1.1z"/><path id="XMLID_102_" d="m167.9 49.4h-0.8c-0.7 0-1.1 0.4-1.1 1.1v12.1c0 3.4-2.2 6.5-6.5 6.5-4.2 0-6.5-3.1-6.5-6.5v-12.1c0-0.7-0.4-1.1-1.1-1.1h-0.8c-0.7 0-1 0.4-1 1.1v12.9c0 5.7 4.2 8.5 9.4 8.5s9.4-2.8 9.4-8.5v-12.9c0.1-0.7-0.3-1.1-1-1.1z"/><path d="m68.908 49.236c-0.24494 0.0391-0.4801 0.20259-0.70508 0.4707l-4.0469 4.8242-3.0293 3.6094-4.5859-5.4668-2.4883-2.9668c-0.22498-0.26812-0.47975-0.41472-0.74414-0.4375-0.26439-0.02278-0.53852 0.07775-0.80664 0.30273l-0.61328 0.51367c-0.53623 0.44995-0.50854 0.94814-0.05859 1.4844l4.0488 4.8242 3.3574 4-4.916 5.8574c-0.0037 0.0044-0.0061 0.0093-0.0098 0.01367l-2.4805 2.9551c-0.44995 0.53623-0.39953 1.1008 0.13672 1.5508l0.61328 0.51172c0.53623 0.44995 1.0227 0.33701 1.4727-0.19922l4.0469-4.8242 3.0293-3.6094 4.5859 5.4668c3e-3 0.0036 0.0067 0.0062 0.0098 0.0098l2.4805 2.957c0.44995 0.53623 1.0126 0.58474 1.5488 0.13476l0.61328-0.51367c0.53623-0.44995 0.50854-0.94814 0.05859-1.4844l-4.0488-4.8242-3.3574-4 4.916-5.8574c0.0037-0.0044 0.0061-0.0093 0.0098-0.01367l2.4805-2.9551c0.44995-0.53623 0.39953-1.1008-0.13672-1.5508l-0.61328-0.51367c-0.26812-0.22498-0.52264-0.30864-0.76758-0.26953z"/></g></svg>

docs/assets/img/cloud/tahoe-lafs-dark.svg

@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" width="128" height="128" version="1.1" viewBox="0 0 33.866 33.866"><g transform="matrix(-.49803 0 0 .49803 16.933 28.886)"><path fill="#fff" d="m64 30.117-5.6465 16.941h3.7637v62.117h3.7656v-62.117h3.7637l-5.6465-16.941z" color="#000" color-rendering="auto" dominant-baseline="auto" image-rendering="auto" shape-rendering="auto" solid-color="#000000" transform="matrix(-.53125 0 0 .53125 34 -58)" style="font-feature-settings:normal;font-variant-alternates:normal;font-variant-caps:normal;font-variant-ligatures:normal;font-variant-numeric:normal;font-variant-position:normal;isolation:auto;mix-blend-mode:normal;shape-padding:0;text-decoration-color:#000;text-decoration-line:none;text-decoration-style:solid;text-indent:0;text-orientation:mixed;text-transform:none;white-space:normal"/><path fill="#fff" d="m83.75 57.334-11.309 13.82 3.5195 1.3418-13.719 36.012 3.5156 1.3379 13.719-36.012 3.5195 1.3418 0.75391-17.842z" color="#000" color-rendering="auto" dominant-baseline="auto" image-rendering="auto" shape-rendering="auto" solid-color="#000000" transform="matrix(-.53125 0 0 .53125 34 -58)" style="font-feature-settings:normal;font-variant-alternates:normal;font-variant-caps:normal;font-variant-ligatures:normal;font-variant-numeric:normal;font-variant-position:normal;isolation:auto;mix-blend-mode:normal;shape-padding:0;text-decoration-color:#000;text-decoration-line:none;text-decoration-style:solid;text-indent:0;text-orientation:mixed;text-transform:none;white-space:normal"/><path fill="#fff" d="m44.25 57.334 0.75391 17.842 3.5195-1.3418 13.719 36.012 3.5156-1.3379-13.719-36.012 3.5195-1.3418-11.309-13.82z" color="#000" color-rendering="auto" dominant-baseline="auto" image-rendering="auto" shape-rendering="auto" solid-color="#000000" transform="matrix(-.53125 0 0 .53125 34 -58)" style="font-feature-settings:normal;font-variant-alternates:normal;font-variant-caps:normal;font-variant-ligatures:normal;font-variant-numeric:normal;font-variant-position:normal;isolation:auto;mix-blend-mode:normal;shape-padding:0;text-decoration-color:#000;text-decoration-line:none;text-decoration-style:solid;text-indent:0;text-orientation:mixed;text-transform:none;white-space:normal"/><circle r="10" fill="red"/><g fill="#fff"><circle cy="-50" r="8" class="storage"/><circle cx="-14" cy="-35" r="8" class="storage"/><circle cx="14" cy="-35" r="8" class="storage"/></g></g></svg>

docs/assets/img/cloud/tahoe-lafs.svg

@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" width="128" height="128" version="1.1" viewBox="0 0 33.866 33.866"><g transform="matrix(-.49803 0 0 .49803 16.933 28.886)"><path d="m64 30.117-5.6465 16.941h3.7637v62.117h3.7656v-62.117h3.7637l-5.6465-16.941z" color="#000" color-rendering="auto" dominant-baseline="auto" image-rendering="auto" shape-rendering="auto" solid-color="#000000" transform="matrix(-.53125 0 0 .53125 34 -58)" style="font-feature-settings:normal;font-variant-alternates:normal;font-variant-caps:normal;font-variant-ligatures:normal;font-variant-numeric:normal;font-variant-position:normal;isolation:auto;mix-blend-mode:normal;shape-padding:0;text-decoration-color:#000;text-decoration-line:none;text-decoration-style:solid;text-indent:0;text-orientation:mixed;text-transform:none;white-space:normal"/><path d="m83.75 57.334-11.309 13.82 3.5195 1.3418-13.719 36.012 3.5156 1.3379 13.719-36.012 3.5195 1.3418 0.75391-17.842z" color="#000" color-rendering="auto" dominant-baseline="auto" image-rendering="auto" shape-rendering="auto" solid-color="#000000" transform="matrix(-.53125 0 0 .53125 34 -58)" style="font-feature-settings:normal;font-variant-alternates:normal;font-variant-caps:normal;font-variant-ligatures:normal;font-variant-numeric:normal;font-variant-position:normal;isolation:auto;mix-blend-mode:normal;shape-padding:0;text-decoration-color:#000;text-decoration-line:none;text-decoration-style:solid;text-indent:0;text-orientation:mixed;text-transform:none;white-space:normal"/><path d="m44.25 57.334 0.75391 17.842 3.5195-1.3418 13.719 36.012 3.5156-1.3379-13.719-36.012 3.5195-1.3418-11.309-13.82z" color="#000" color-rendering="auto" dominant-baseline="auto" image-rendering="auto" shape-rendering="auto" solid-color="#000000" transform="matrix(-.53125 0 0 .53125 34 -58)" style="font-feature-settings:normal;font-variant-alternates:normal;font-variant-caps:normal;font-variant-ligatures:normal;font-variant-numeric:normal;font-variant-position:normal;isolation:auto;mix-blend-mode:normal;shape-padding:0;text-decoration-color:#000;text-decoration-line:none;text-decoration-style:solid;text-indent:0;text-orientation:mixed;text-transform:none;white-space:normal"/><circle r="10" fill="red"/><g><circle cy="-50" r="8" class="storage"/><circle cx="-14" cy="-35" r="8" class="storage"/><circle cx="14" cy="-35" r="8" class="storage"/></g></g></svg>

docs/assets/img/email/anonaddy-dark.svg

@@ -1,2 +1 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<svg width="384" height="128" version="1.1" viewBox="0 0 101.6 33.867" xmlns="http://www.w3.org/2000/svg"><g transform="matrix(.05357 0 0 .05357 -2.7694 6.1687)"><path class="st0" d="m107.8 179.5c-4.6 0.7-9.5-1-12.6-5-4.5-5.8-3.5-14.1 2.3-18.7l37-28.9c5.8-4.5 14.1-3.5 18.7 2.3 4.5 5.8 3.5 14.1-2.3 18.7l-37 28.9c-1.8 1.5-3.9 2.4-6.1 2.7z" fill="#3ae7e1"/><path class="st1" d="m71.9 207.7c-4.6 0.7-9.5-1-12.6-4.9-4.5-5.8-3.5-14.1 2.3-18.7l3.5-2.7c5.8-4.5 14.1-3.5 18.7 2.3 4.5 5.8 3.5 14.1-2.3 18.7l-3.5 2.7c-1.8 1.4-3.9 2.3-6.1 2.6z" fill="#f5f7fa"/><path class="st0" d="m67.1 283.6c-4.6 0.7-9.5-1-12.6-5-4.5-5.8-3.5-14.1 2.3-18.7l81.2-63.4c5.8-4.5 14.2-3.5 18.7 2.3s3.5 14.1-2.3 18.7l-81.2 63.5c-1.9 1.4-4 2.3-6.1 2.6z" fill="#3ae7e1"/><path class="st1" d="m182.8 193.6c-4.6 0.7-9.5-1-12.6-5-4.5-5.8-3.5-14.1 2.3-18.7l12.9-10.1c5.8-4.5 14.1-3.5 18.7 2.3 4.5 5.8 3.5 14.1-2.3 18.7l-12.9 10.1c-1.9 1.4-4 2.3-6.1 2.7z" fill="#f5f7fa"/><path class="st0" d="m175.7 271.1c-4.6 0.7-9.5-1-12.6-5-4.5-5.8-3.5-14.1 2.3-18.7l66.6-52c5.8-4.5 14.2-3.5 18.7 2.3s3.5 14.1-2.3 18.7l-66.6 52c-1.8 1.5-3.9 2.4-6.1 2.7z" fill="#3ae7e1"/><path class="st1" d="m139.3 300c-4.6 0.7-9.5-1-12.6-5-4.5-5.8-3.5-14.2 2.3-18.7l4.7-3.7c5.8-4.5 14.2-3.5 18.7 2.3s3.5 14.2-2.3 18.7l-4.7 3.7c-1.9 1.5-4 2.4-6.1 2.7z" fill="#f5f7fa"/><path class="st0" d="m475 40.4h-308.8c-11.5 0-22.2 7.1-25.6 18.1-1.6 5.1-1.5 10.3 0 15 1.5 4.8 4.5 9.2 8.7 12.5 0 0 118.3 91.9 147.3 111.9 10.4 6.7 20.5 4.4 26.5-0.2l150.1-116.8v201.9c0 19.7-16 35.7-35.7 35.7h-283.7c-7.3 0-13.2 5.9-13.2 13.2 0 7.4 6 13.4 13.4 13.4h283.4c34.4 0 62.3-27.9 62.3-62.3v-217.7c0.1-13.6-11-24.7-24.7-24.7zm-213.6 110.1 0.1-0.7 0.4 0.6zm48.3 24-137.5-107.5h275.5z" fill="#3ae7e1"/><g fill="#3ae7e1"><path class="st0" d="m791.7 281.8c2.4 6.5 0 9.8-6.8 9.8h-15.5c-12.2 0-16.1-1.8-18.4-8.9l-13.7-38.4h-82.1l-14 38.4c-2.4 7.1-6.2 8.9-18.4 8.9h-13.7c-6.8 0-9.2-3.3-6.8-9.8l74.3-193.3c2.7-6.8 5.4-8.3 12.5-8.3h15.8c7.1 0 10.1 1.8 12.5 8zm-87.4-130.8c-3.6-10.7-5.9-24.4-6.8-31.2l-0.3-5.1h-2.1c0 11.3-2.1 23.2-6.5 36l-22.9 63h61.3z"/><path class="st0" d="m881.8 133.2c41.6 0 61.8 21.4 61.8 59.8v89.5c0 6.8-2.4 9.2-9.2 9.2h-16.4c-6.8 0-8.9-2.4-8.9-9.2v-88.6c0-19.3-10.7-29.1-32.4-29.1-9.5 0-19 1.2-28.5 3.9-1.5 0.6-2.1 1.5-2.1 3v110.9c0 6.8-2.1 9.2-8.9 9.2h-16.4c-6.8 0-9.2-2.4-9.2-9.2v-122.4c0-9.5 2.1-13.1 11.6-16.9 17-6.9 36.3-10.1 58.6-10.1z"/><path class="st0" d="m971.6 192.6c0-37.2 24.7-59.5 68.4-59.5 44 0 68.7 22.3 68.7 59.5v44c0 37.2-24.7 59.5-68.7 59.5-43.7 0-68.4-22.3-68.4-59.5zm102.6 0c0-18.1-12.5-28.2-34.2-28.2s-33.9 10.1-33.9 28.2v44c0 17.8 12.2 28.2 33.9 28.2s34.2-10.4 34.2-28.2z"/><path class="st0" d="m1207.7 133.2c41.6 0 61.8 21.4 61.8 59.8v89.5c0 6.8-2.4 9.2-9.2 9.2h-16.4c-6.8 0-8.9-2.4-8.9-9.2v-88.6c0-19.3-10.7-29.1-32.4-29.1-9.5 0-19 1.2-28.5 3.9-1.5 0.6-2.1 1.5-2.1 3v110.9c0 6.8-2.1 9.2-8.9 9.2h-16.4c-6.8 0-9.2-2.4-9.2-9.2v-122.4c0-9.5 2.1-13.1 11.6-16.9 16.9-6.9 36.3-10.1 58.6-10.1z"/></g><g fill="#f5f7fa"><path class="st1" d="m1477.7 281.8c2.4 6.5 0 9.8-6.8 9.8h-15.5c-12.2 0-16.1-1.8-18.4-8.9l-13.7-38.4h-82.1l-14 38.4c-2.4 7.1-6.2 8.9-18.4 8.9h-13.7c-6.8 0-9.2-3.3-6.8-9.8l74.3-193.3c2.7-6.8 5.4-8.3 12.5-8.3h15.8c7.1 0 10.1 1.8 12.5 8zm-87.5-130.8c-3.6-10.7-5.9-24.4-6.8-31.2l-0.3-5.1h-2.1c0 11.3-2.1 23.2-6.5 36l-22.9 63h61.3z"/><path class="st1" d="m1490.7 195.3c0-40.4 20.8-62.1 62.1-62.1 9.2 0 20.8 1.2 35.4 3.9v-56.3c0-6.8 2.1-9.2 8.9-9.2h16.4c6.8 0 9.2 2.4 9.2 9.2v189.4c0 9.5-2.4 12.5-11.9 16.4-16.9 6.2-35.4 9.5-55.6 9.5-43.1 0-64.5-19.9-64.5-60.1zm97.6-26.7c-11.9-2.7-21.4-3.9-28.8-3.9-22.9 0-34.2 10.4-34.2 31.5v38.7c0 19.9 11 29.7 33.3 29.7 10.4 0 19.6-1.2 27.4-3.3 1.5-0.6 2.4-1.8 2.4-3.3v-89.4z"/><path class="st1" d="m1651.9 195.3c0-40.4 20.8-62.1 62.1-62.1 9.2 0 20.8 1.2 35.4 3.9v-56.3c0-6.8 2.1-9.2 8.9-9.2h16.4c6.8 0 9.2 2.4 9.2 9.2v189.4c0 9.5-2.4 12.5-11.9 16.4-16.9 6.2-35.4 9.5-55.6 9.5-43.1 0-64.5-19.9-64.5-60.1zm97.5-26.7c-11.9-2.7-21.4-3.9-28.8-3.9-22.9 0-34.2 10.4-34.2 31.5v38.7c0 19.9 11 29.7 33.3 29.7 10.4 0 19.6-1.2 27.4-3.3 1.5-0.6 2.4-1.8 2.4-3.3v-89.4z"/><path class="st1" d="m1939.1 137.6c6.8 0 9.2 2.1 9.2 8.9v150.2c0 40.7-20.5 64.8-65.4 64.8-29.4 0-50.3-9.5-61.8-28.5-4.2-6.5-3-11.6 3.9-14.9l11.3-6.2c7.1-3.6 10.4-2.7 14.9 3.6 6.2 10.1 16.6 15.2 31.2 15.2 21.1 0 31.5-10.7 31.5-32.1v-14c-12.2 2.7-24.1 4.2-35.4 4.2-41.6 0-62.1-21.4-62.1-59.8v-82.4c0-6.8 2.4-8.9 9.2-8.9h16.4c6.8 0 8.9 2.1 8.9 8.9v81.2c0 19.6 10.7 29.4 32.4 29.4 9.8 0 19.9-1.5 30.6-4.2v-106.5c0-6.8 2.4-8.9 9.2-8.9z"/></g></g></svg>
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 91 62"><g fill="none" fill-rule="nonzero"><path fill="#3AE7E1" d="M11.36 28.163a2.704 2.704 0 0 1-2.085-4.799l7.492-5.85a2.704 2.704 0 0 1 3.786.465 2.704 2.704 0 0 1-.466 3.786l-7.491 5.852c-.365.304-.79.486-1.235.546Z"/><path fill="#F5F7FA" d="M4.092 33.873a2.736 2.736 0 0 1-2.551-.992 2.704 2.704 0 0 1 .466-3.786l.708-.547a2.704 2.704 0 0 1 3.787.466 2.704 2.704 0 0 1-.466 3.786l-.709.547c-.364.283-.79.465-1.235.526Z"/><path fill="#3AE7E1" d="M3.12 49.24a2.704 2.704 0 0 1-2.085-4.799l16.44-12.836c1.175-.91 2.875-.708 3.787.466a2.704 2.704 0 0 1-.466 3.786L4.356 48.714c-.385.284-.81.466-1.236.527Z"/><path fill="#F5F7FA" d="M26.546 31.018a2.704 2.704 0 0 1-2.085-4.799l2.611-2.044a2.704 2.704 0 0 1 3.787.466 2.704 2.704 0 0 1-.466 3.786l-2.612 2.045c-.385.283-.81.465-1.235.546Z"/><path fill="#3AE7E1" d="M25.108 46.71a2.704 2.704 0 0 1-2.085-4.799l13.484-10.528c1.175-.911 2.876-.709 3.787.465a2.704 2.704 0 0 1-.466 3.787L26.344 46.163c-.365.304-.79.486-1.236.547Z"/><path fill="#F5F7FA" d="M17.739 52.561a2.706 2.706 0 0 1-2.552-1.012c-.91-1.175-.708-2.875.466-3.786l.952-.75c1.174-.91 2.875-.708 3.786.466s.709 2.875-.466 3.786l-.951.75a2.59 2.59 0 0 1-1.235.546Z"/><path fill="#3AE7E1" d="M85.708 0H23.185c-2.328 0-4.495 1.438-5.183 3.665a5.014 5.014 0 0 0 0 3.037 5.21 5.21 0 0 0 1.761 2.53S43.715 27.84 49.587 31.89c2.106 1.356 4.15.89 5.365-.04L85.343 8.2v40.879a7.232 7.232 0 0 1-7.228 7.228h-57.44a2.67 2.67 0 0 0-2.673 2.672 2.713 2.713 0 0 0 2.713 2.713h57.38c6.965 0 12.614-5.649 12.614-12.613V5C90.729 2.247 88.48 0 85.708 0ZM52.239 27.151 24.4 5.386H80.18L52.24 27.15Z"/></g></svg>

docs/assets/img/email/anonaddy.svg

@@ -1 +1 @@
-<svg xmlns="http://www.w3.org/2000/svg" width="384" height="128" version="1.1" viewBox="0 0 101.6 33.867"><g id="XMLID_1_" transform="matrix(.05357 0 0 .05357 -2.7694 6.1687)"><g id="XMLID_29_"><path id="XMLID_41_" fill="#3ae7e1" d="m107.8 179.5c-4.6 0.7-9.5-1-12.6-5-4.5-5.8-3.5-14.1 2.3-18.7l37-28.9c5.8-4.5 14.1-3.5 18.7 2.3 4.5 5.8 3.5 14.1-2.3 18.7l-37 28.9c-1.8 1.5-3.9 2.4-6.1 2.7z" class="st0"/></g><g id="XMLID_30_"><path id="XMLID_40_" fill="#7b8794" d="m71.9 207.7c-4.6 0.7-9.5-1-12.6-4.9-4.5-5.8-3.5-14.1 2.3-18.7l3.5-2.7c5.8-4.5 14.1-3.5 18.7 2.3 4.5 5.8 3.5 14.1-2.3 18.7l-3.5 2.7c-1.8 1.4-3.9 2.3-6.1 2.6z" class="st1"/></g><g id="XMLID_31_"><path id="XMLID_39_" fill="#3ae7e1" d="m67.1 283.6c-4.6 0.7-9.5-1-12.6-5-4.5-5.8-3.5-14.1 2.3-18.7l81.2-63.4c5.8-4.5 14.2-3.5 18.7 2.3s3.5 14.1-2.3 18.7l-81.2 63.5c-1.9 1.4-4 2.3-6.1 2.6z" class="st0"/></g><g id="XMLID_34_"><path id="XMLID_38_" fill="#7b8794" d="m182.8 193.6c-4.6 0.7-9.5-1-12.6-5-4.5-5.8-3.5-14.1 2.3-18.7l12.9-10.1c5.8-4.5 14.1-3.5 18.7 2.3 4.5 5.8 3.5 14.1-2.3 18.7l-12.9 10.1c-1.9 1.4-4 2.3-6.1 2.7z" class="st1"/></g><g id="XMLID_32_"><path id="XMLID_37_" fill="#3ae7e1" d="m175.7 271.1c-4.6 0.7-9.5-1-12.6-5-4.5-5.8-3.5-14.1 2.3-18.7l66.6-52c5.8-4.5 14.2-3.5 18.7 2.3s3.5 14.1-2.3 18.7l-66.6 52c-1.8 1.5-3.9 2.4-6.1 2.7z" class="st0"/></g><path id="XMLID_36_" fill="#7b8794" d="m139.3 300c-4.6 0.7-9.5-1-12.6-5-4.5-5.8-3.5-14.2 2.3-18.7l4.7-3.7c5.8-4.5 14.2-3.5 18.7 2.3s3.5 14.2-2.3 18.7l-4.7 3.7c-1.9 1.5-4 2.4-6.1 2.7z" class="st1"/><path id="XMLID_44_" fill="#3ae7e1" d="m475 40.4h-308.8c-11.5 0-22.2 7.1-25.6 18.1-1.6 5.1-1.5 10.3 0 15 1.5 4.8 4.5 9.2 8.7 12.5 0 0 118.3 91.9 147.3 111.9 10.4 6.7 20.5 4.4 26.5-0.2l150.1-116.8v201.9c0 19.7-16 35.7-35.7 35.7h-283.7c-7.3 0-13.2 5.9-13.2 13.2 0 7.4 6 13.4 13.4 13.4h283.4c34.4 0 62.3-27.9 62.3-62.3v-217.7c0.1-13.6-11-24.7-24.7-24.7zm-213.6 110.1 0.1-0.7 0.4 0.6zm48.3 24-137.5-107.5h275.5z" class="st0"/><g id="XMLID_81_"><g id="XMLID_4_" fill="#3ae7e1"><path id="XMLID_25_" d="m791.7 281.8c2.4 6.5 0 9.8-6.8 9.8h-15.5c-12.2 0-16.1-1.8-18.4-8.9l-13.7-38.4h-82.1l-14 38.4c-2.4 7.1-6.2 8.9-18.4 8.9h-13.7c-6.8 0-9.2-3.3-6.8-9.8l74.3-193.3c2.7-6.8 5.4-8.3 12.5-8.3h15.8c7.1 0 10.1 1.8 12.5 8zm-87.4-130.8c-3.6-10.7-5.9-24.4-6.8-31.2l-0.3-5.1h-2.1c0 11.3-2.1 23.2-6.5 36l-22.9 63h61.3z" class="st0"/><path id="XMLID_28_" d="m881.8 133.2c41.6 0 61.8 21.4 61.8 59.8v89.5c0 6.8-2.4 9.2-9.2 9.2h-16.4c-6.8 0-8.9-2.4-8.9-9.2v-88.6c0-19.3-10.7-29.1-32.4-29.1-9.5 0-19 1.2-28.5 3.9-1.5 0.6-2.1 1.5-2.1 3v110.9c0 6.8-2.1 9.2-8.9 9.2h-16.4c-6.8 0-9.2-2.4-9.2-9.2v-122.4c0-9.5 2.1-13.1 11.6-16.9 17-6.9 36.3-10.1 58.6-10.1z" class="st0"/><path id="XMLID_65_" d="m971.6 192.6c0-37.2 24.7-59.5 68.4-59.5 44 0 68.7 22.3 68.7 59.5v44c0 37.2-24.7 59.5-68.7 59.5-43.7 0-68.4-22.3-68.4-59.5zm102.6 0c0-18.1-12.5-28.2-34.2-28.2s-33.9 10.1-33.9 28.2v44c0 17.8 12.2 28.2 33.9 28.2s34.2-10.4 34.2-28.2z" class="st0"/><path id="XMLID_68_" d="m1207.7 133.2c41.6 0 61.8 21.4 61.8 59.8v89.5c0 6.8-2.4 9.2-9.2 9.2h-16.4c-6.8 0-8.9-2.4-8.9-9.2v-88.6c0-19.3-10.7-29.1-32.4-29.1-9.5 0-19 1.2-28.5 3.9-1.5 0.6-2.1 1.5-2.1 3v110.9c0 6.8-2.1 9.2-8.9 9.2h-16.4c-6.8 0-9.2-2.4-9.2-9.2v-122.4c0-9.5 2.1-13.1 11.6-16.9 16.9-6.9 36.3-10.1 58.6-10.1z" class="st0"/></g><g id="XMLID_24_" fill="#7b8794"><path id="XMLID_70_" d="m1477.7 281.8c2.4 6.5 0 9.8-6.8 9.8h-15.5c-12.2 0-16.1-1.8-18.4-8.9l-13.7-38.4h-82.1l-14 38.4c-2.4 7.1-6.2 8.9-18.4 8.9h-13.7c-6.8 0-9.2-3.3-6.8-9.8l74.3-193.3c2.7-6.8 5.4-8.3 12.5-8.3h15.8c7.1 0 10.1 1.8 12.5 8zm-87.5-130.8c-3.6-10.7-5.9-24.4-6.8-31.2l-0.3-5.1h-2.1c0 11.3-2.1 23.2-6.5 36l-22.9 63h61.3z" class="st1"/><path id="XMLID_73_" d="m1490.7 195.3c0-40.4 20.8-62.1 62.1-62.1 9.2 0 20.8 1.2 35.4 3.9v-56.3c0-6.8 2.1-9.2 8.9-9.2h16.4c6.8 0 9.2 2.4 9.2 9.2v189.4c0 9.5-2.4 12.5-11.9 16.4-16.9 6.2-35.4 9.5-55.6 9.5-43.1 0-64.5-19.9-64.5-60.1zm97.6-26.7c-11.9-2.7-21.4-3.9-28.8-3.9-22.9 0-34.2 10.4-34.2 31.5v38.7c0 19.9 11 29.7 33.3 29.7 10.4 0 19.6-1.2 27.4-3.3 1.5-0.6 2.4-1.8 2.4-3.3v-89.4z" class="st1"/><path id="XMLID_76_" d="m1651.9 195.3c0-40.4 20.8-62.1 62.1-62.1 9.2 0 20.8 1.2 35.4 3.9v-56.3c0-6.8 2.1-9.2 8.9-9.2h16.4c6.8 0 9.2 2.4 9.2 9.2v189.4c0 9.5-2.4 12.5-11.9 16.4-16.9 6.2-35.4 9.5-55.6 9.5-43.1 0-64.5-19.9-64.5-60.1zm97.5-26.7c-11.9-2.7-21.4-3.9-28.8-3.9-22.9 0-34.2 10.4-34.2 31.5v38.7c0 19.9 11 29.7 33.3 29.7 10.4 0 19.6-1.2 27.4-3.3 1.5-0.6 2.4-1.8 2.4-3.3v-89.4z" class="st1"/><path id="XMLID_79_" d="m1939.1 137.6c6.8 0 9.2 2.1 9.2 8.9v150.2c0 40.7-20.5 64.8-65.4 64.8-29.4 0-50.3-9.5-61.8-28.5-4.2-6.5-3-11.6 3.9-14.9l11.3-6.2c7.1-3.6 10.4-2.7 14.9 3.6 6.2 10.1 16.6 15.2 31.2 15.2 21.1 0 31.5-10.7 31.5-32.1v-14c-12.2 2.7-24.1 4.2-35.4 4.2-41.6 0-62.1-21.4-62.1-59.8v-82.4c0-6.8 2.4-8.9 9.2-8.9h16.4c6.8 0 8.9 2.1 8.9 8.9v81.2c0 19.6 10.7 29.4 32.4 29.4 9.8 0 19.9-1.5 30.6-4.2v-106.5c0-6.8 2.4-8.9 9.2-8.9z" class="st1"/></g></g></g></svg>
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 91 62"><g fill="none" fill-rule="nonzero"><path fill="#3AE7E1" d="M11.36 28.163a2.704 2.704 0 0 1-2.085-4.799l7.492-5.85a2.704 2.704 0 0 1 3.786.465 2.704 2.704 0 0 1-.466 3.786l-7.491 5.852c-.365.304-.79.486-1.235.546Z"/><path fill="#7B8794" d="M4.092 33.873a2.736 2.736 0 0 1-2.551-.992 2.704 2.704 0 0 1 .466-3.786l.708-.547a2.704 2.704 0 0 1 3.787.466 2.704 2.704 0 0 1-.466 3.786l-.709.547c-.364.283-.79.465-1.235.526Z"/><path fill="#3AE7E1" d="M3.12 49.24a2.704 2.704 0 0 1-2.085-4.799l16.44-12.836c1.175-.91 2.875-.708 3.787.466a2.704 2.704 0 0 1-.466 3.786L4.356 48.714c-.385.284-.81.466-1.236.527Z"/><path fill="#7B8794" d="M26.546 31.018a2.704 2.704 0 0 1-2.085-4.799l2.611-2.044a2.704 2.704 0 0 1 3.787.466 2.704 2.704 0 0 1-.466 3.786l-2.612 2.045c-.385.283-.81.465-1.235.546Z"/><path fill="#3AE7E1" d="M25.108 46.71a2.704 2.704 0 0 1-2.085-4.799l13.484-10.528c1.175-.911 2.876-.709 3.787.465a2.704 2.704 0 0 1-.466 3.787L26.344 46.163c-.365.304-.79.486-1.236.547Z"/><path fill="#7B8794" d="M17.739 52.561a2.706 2.706 0 0 1-2.552-1.012c-.91-1.175-.708-2.875.466-3.786l.952-.75c1.174-.91 2.875-.708 3.786.466s.709 2.875-.466 3.786l-.951.75a2.59 2.59 0 0 1-1.235.546Z"/><path fill="#3AE7E1" d="M85.708 0H23.185c-2.328 0-4.495 1.438-5.183 3.665a5.014 5.014 0 0 0 0 3.037 5.21 5.21 0 0 0 1.761 2.53S43.715 27.84 49.587 31.89c2.106 1.356 4.15.89 5.365-.04L85.343 8.2v40.879a7.232 7.232 0 0 1-7.228 7.228h-57.44a2.67 2.67 0 0 0-2.673 2.672 2.713 2.713 0 0 0 2.713 2.713h57.38c6.965 0 12.614-5.649 12.614-12.613V5C90.729 2.247 88.48 0 85.708 0ZM52.239 27.151 24.4 5.386H80.18L52.24 27.15Z"/></g></svg>

docs/assets/img/email/mini/anonaddy-dark.svg

@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 91 62"><g fill="none" fill-rule="nonzero"><path fill="#3AE7E1" d="M11.36 28.163a2.704 2.704 0 0 1-2.085-4.799l7.492-5.85a2.704 2.704 0 0 1 3.786.465 2.704 2.704 0 0 1-.466 3.786l-7.491 5.852c-.365.304-.79.486-1.235.546Z"/><path fill="#F5F7FA" d="M4.092 33.873a2.736 2.736 0 0 1-2.551-.992 2.704 2.704 0 0 1 .466-3.786l.708-.547a2.704 2.704 0 0 1 3.787.466 2.704 2.704 0 0 1-.466 3.786l-.709.547c-.364.283-.79.465-1.235.526Z"/><path fill="#3AE7E1" d="M3.12 49.24a2.704 2.704 0 0 1-2.085-4.799l16.44-12.836c1.175-.91 2.875-.708 3.787.466a2.704 2.704 0 0 1-.466 3.786L4.356 48.714c-.385.284-.81.466-1.236.527Z"/><path fill="#F5F7FA" d="M26.546 31.018a2.704 2.704 0 0 1-2.085-4.799l2.611-2.044a2.704 2.704 0 0 1 3.787.466 2.704 2.704 0 0 1-.466 3.786l-2.612 2.045c-.385.283-.81.465-1.235.546Z"/><path fill="#3AE7E1" d="M25.108 46.71a2.704 2.704 0 0 1-2.085-4.799l13.484-10.528c1.175-.911 2.876-.709 3.787.465a2.704 2.704 0 0 1-.466 3.787L26.344 46.163c-.365.304-.79.486-1.236.547Z"/><path fill="#F5F7FA" d="M17.739 52.561a2.706 2.706 0 0 1-2.552-1.012c-.91-1.175-.708-2.875.466-3.786l.952-.75c1.174-.91 2.875-.708 3.786.466s.709 2.875-.466 3.786l-.951.75a2.59 2.59 0 0 1-1.235.546Z"/><path fill="#3AE7E1" d="M85.708 0H23.185c-2.328 0-4.495 1.438-5.183 3.665a5.014 5.014 0 0 0 0 3.037 5.21 5.21 0 0 0 1.761 2.53S43.715 27.84 49.587 31.89c2.106 1.356 4.15.89 5.365-.04L85.343 8.2v40.879a7.232 7.232 0 0 1-7.228 7.228h-57.44a2.67 2.67 0 0 0-2.673 2.672 2.713 2.713 0 0 0 2.713 2.713h57.38c6.965 0 12.614-5.649 12.614-12.613V5C90.729 2.247 88.48 0 85.708 0ZM52.239 27.151 24.4 5.386H80.18L52.24 27.15Z"/></g></svg>

docs/assets/img/email/mini/anonaddy.svg

@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 91 62"><g fill="none" fill-rule="nonzero"><path fill="#3AE7E1" d="M11.36 28.163a2.704 2.704 0 0 1-2.085-4.799l7.492-5.85a2.704 2.704 0 0 1 3.786.465 2.704 2.704 0 0 1-.466 3.786l-7.491 5.852c-.365.304-.79.486-1.235.546Z"/><path fill="#7B8794" d="M4.092 33.873a2.736 2.736 0 0 1-2.551-.992 2.704 2.704 0 0 1 .466-3.786l.708-.547a2.704 2.704 0 0 1 3.787.466 2.704 2.704 0 0 1-.466 3.786l-.709.547c-.364.283-.79.465-1.235.526Z"/><path fill="#3AE7E1" d="M3.12 49.24a2.704 2.704 0 0 1-2.085-4.799l16.44-12.836c1.175-.91 2.875-.708 3.787.466a2.704 2.704 0 0 1-.466 3.786L4.356 48.714c-.385.284-.81.466-1.236.527Z"/><path fill="#7B8794" d="M26.546 31.018a2.704 2.704 0 0 1-2.085-4.799l2.611-2.044a2.704 2.704 0 0 1 3.787.466 2.704 2.704 0 0 1-.466 3.786l-2.612 2.045c-.385.283-.81.465-1.235.546Z"/><path fill="#3AE7E1" d="M25.108 46.71a2.704 2.704 0 0 1-2.085-4.799l13.484-10.528c1.175-.911 2.876-.709 3.787.465a2.704 2.704 0 0 1-.466 3.787L26.344 46.163c-.365.304-.79.486-1.236.547Z"/><path fill="#7B8794" d="M17.739 52.561a2.706 2.706 0 0 1-2.552-1.012c-.91-1.175-.708-2.875.466-3.786l.952-.75c1.174-.91 2.875-.708 3.786.466s.709 2.875-.466 3.786l-.951.75a2.59 2.59 0 0 1-1.235.546Z"/><path fill="#3AE7E1" d="M85.708 0H23.185c-2.328 0-4.495 1.438-5.183 3.665a5.014 5.014 0 0 0 0 3.037 5.21 5.21 0 0 0 1.761 2.53S43.715 27.84 49.587 31.89c2.106 1.356 4.15.89 5.365-.04L85.343 8.2v40.879a7.232 7.232 0 0 1-7.228 7.228h-57.44a2.67 2.67 0 0 0-2.673 2.672 2.713 2.713 0 0 0 2.713 2.713h57.38c6.965 0 12.614-5.649 12.614-12.613V5C90.729 2.247 88.48 0 85.708 0ZM52.239 27.151 24.4 5.386H80.18L52.24 27.15Z"/></g></svg>

docs/assets/img/email/mini/mailboxorg.svg

@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 86 78"><path fill="#76BC21" fill-rule="nonzero" d="M52.597 44.165 85.369 21.72V0H7.923S-.003 0-.003 7.924v.217l52.6 36.024ZM7.923 77.151h77.446V33.243L54.677 54.168c-2.183 1.487-4.358-.01-4.358-.01L-.003 19.539v49.69s0 7.923 7.926 7.923"/></svg>

docs/assets/img/email/mini/simplelogin.svg

@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 59"><defs><linearGradient id="a" x1="0%" x2="99.995%" y1="50%" y2="50%"><stop offset="0%" stop-color="#ED2E7C"/><stop offset="100%" stop-color="#A8288F"/></linearGradient></defs><path fill="url(#a)" fill-rule="nonzero" d="M96.523 0H25.005l-.903.933-.153.169a41.263 41.263 0 0 1-2.126 2.057A45.808 45.808 0 0 1 2.6 13.883c-.207.061-.406.107-.612.168l-.903.222-.206.903c-.077.329-.138.658-.207 1.002A38.1 38.1 0 0 0 0 23.223a37.415 37.415 0 0 0 22.343 34.244c.153.077.329.153.497.222.375.168.75.314 1.124.467l.452.168.06.015.031-.015a.26.26 0 0 0 .108.015h71.893a2.805 2.805 0 0 0 2.807-2.807V2.784A2.767 2.767 0 0 0 96.523 0Zm-4.857 4.483-29.93 26.09a1.628 1.628 0 0 1-2.143-.015l-9.76-8.651a35.554 35.554 0 0 0-.673-6.196 36.48 36.48 0 0 1-.092-.527l-.206-.903-.903-.237c-.222-.046-.436-.107-.658-.153a44.69 44.69 0 0 1-13.898-6.54l-3.235-2.86h61.498v-.008ZM51.378 29.105l-2.455 2.172c.282-1.243.502-2.499.658-3.763l1.797 1.59Zm-26.84 26.06a36.184 36.184 0 0 1-2.715-1.247 34.66 34.66 0 0 1-18.817-30.68c-.003-2.18.207-4.355.627-6.494a48.582 48.582 0 0 0 18.19-9.34A43.137 43.137 0 0 0 25.02 4.56 48.67 48.67 0 0 0 42.68 15.566a40.75 40.75 0 0 0 3.626 1.14c.138.78.268 1.575.344 2.37.144 1.28.218 2.568.222 3.856 0 .704-.015 1.407-.076 2.111a33.775 33.775 0 0 1-2.142 10.013 34.551 34.551 0 0 1-20.117 20.109Zm8.728-1.155A37.48 37.48 0 0 0 45.71 40.02l8.98-7.932 4.873 4.36c.616.543 1.54.543 2.157 0l4.964-4.406 24.92 21.937-58.338.03Zm36.807-24.92L95.008 6.93l.046 44.189-24.981-22.03ZM31.269 46.842a24.6 24.6 0 0 0 3.312-2.922l-3.312 2.922Zm11.114-25.686a31.669 31.669 0 0 0-.283-1.874 34.74 34.74 0 0 1-2.906-.933.015.015 0 0 1-.016-.015c-.252-.077-.482-.184-.734-.283a25.363 25.363 0 0 1-1.637-.72 19.24 19.24 0 0 1-1.14-.542 10.245 10.245 0 0 1-.81-.42 35.255 35.255 0 0 1-2.532-1.485 25.548 25.548 0 0 1-1.5-1.002.275.275 0 0 1-.107-.076c-.527-.36-1.047-.75-1.56-1.14a43.023 43.023 0 0 1-2.952-2.486c-.406-.36-.811-.734-1.201-1.124a54.541 54.541 0 0 1-3.182 2.845 38.333 38.333 0 0 1-14.006 7.42 27.794 27.794 0 0 0-.497 5.232A28.301 28.301 0 0 0 21.83 49.19c.905.496 1.837.94 2.792 1.33a31.993 31.993 0 0 0 1.698-.718c.452-.207.903-.42 1.346-.658.407-.203.803-.428 1.186-.673.13-.065.255-.14.375-.222.206-.122.405-.252.596-.375a.368.368 0 0 0 .123-.091c.35-.217.69-.452 1.017-.704a1.3 1.3 0 0 0 .314-.237l3.312-2.922c.03 0 .03 0 .03-.015a28.385 28.385 0 0 0 6.946-12.239 27.624 27.624 0 0 0 1.002-7.374 30.795 30.795 0 0 0-.184-3.136ZM26.26 37.205l-2.547 2.547h-.015l-10.54-10.54 3.235-3.266 7.32 7.32 2.547-2.547 8.888-8.904 3.251 3.251-12.139 12.139Z"/></svg>

docs/assets/img/email/mini/startmail-dark.svg

@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 56 56"><g fill="none" fill-rule="nonzero"><path fill="#6573FF" d="M55.73 9.844V5.297A5.275 5.275 0 0 0 50.453.022H5.284A5.275 5.275 0 0 0 .007 5.297v4.461c2.097 2.006 21.3 20.222 27.956 20.222 7.043 0 25.592-18.003 27.767-20.136h-.002Z"/><path fill="#e5e8ff" d="M45.804 26.455c-7.608 6.855-13.613 10.332-17.849 10.332C18.347 36.787 2.08 22.23 0 20.34v30.128a5.276 5.276 0 0 0 5.275 5.275h45.17a5.275 5.275 0 0 0 5.276-5.275V16.43a133.421 133.421 0 0 1-9.918 10.023l.001.002Z"/></g></svg>

docs/assets/img/email/mini/startmail.svg

@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 56 56"><g fill="none" fill-rule="nonzero"><path fill="#6573FF" d="M55.73 9.844V5.297A5.275 5.275 0 0 0 50.453.022H5.284A5.275 5.275 0 0 0 .007 5.297v4.461c2.097 2.006 21.3 20.222 27.956 20.222 7.043 0 25.592-18.003 27.767-20.136h-.002Z"/><path fill="#202945" d="M45.804 26.455c-7.608 6.855-13.613 10.332-17.849 10.332C18.347 36.787 2.08 22.23 0 20.34v30.128a5.276 5.276 0 0 0 5.275 5.275h45.17a5.275 5.275 0 0 0 5.276-5.275V16.43a133.421 133.421 0 0 1-9.918 10.023l.001.002Z"/></g></svg>

docs/assets/img/email/mini/tutanota.svg

@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 257 237"><defs><path id="a" d="M22.875.003C10.235.003 0 10.249 0 22.875v211.23c0 .801.046 1.608.123 2.388 8.5-3.167 17.524-6.629 27.054-10.436 66.336-26.48 120.57-48.994 120.62-74.415 0-.814-.056-1.636-.172-2.458-3.43-25.098-63.407-32.879-63.324-44.381.007-.611.18-1.25.548-1.889 7.205-12.619 35.743-12.015 46.253-12.907 10.519-.913 35.206-.724 36.399-8.244.035-.232.057-.463.057-.695.028-6.987-16.977-9.726-16.977-9.726s20.635 3.083 20.579 11.11c0 .393-.048.8-.158 1.214-2.222 8.624-20.379 10.246-32.386 10.835-11.356.569-28.648 1.861-28.707 7.408-.007.323.049.66.165 1.004 2.71 8.11 66.09 12.015 106.64 33.061 23.335 12.099 34.94 32.422 40.263 53.418V22.872C256.977 10.246 246.734 0 234.108 0H22.878l-.003.003Z"/></defs><use xlink:href="#a" fill="#A01E20" fill-rule="evenodd"/></svg>

docs/assets/img/email/tutanota-dark.svg

@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" viewBox="0 0 384 128"><defs><clipPath id="b"><use width="1280" height="800" overflow="visible" xlink:href="#a"/></clipPath><path id="a" d="m155.5 222.8c-12.64 0-22.875 10.246-22.875 22.872v211.23c0 0.801 0.046 1.608 0.123 2.388 8.5-3.167 17.524-6.629 27.054-10.436 66.336-26.48 120.57-48.994 120.62-74.415 0-0.814-0.056-1.636-0.172-2.458-3.43-25.098-63.407-32.879-63.324-44.381 7e-3 -0.611 0.18-1.25 0.548-1.889 7.205-12.619 35.743-12.015 46.253-12.907 10.519-0.913 35.206-0.724 36.399-8.244 0.035-0.232 0.057-0.463 0.057-0.695 0.028-6.987-16.977-9.726-16.977-9.726s20.635 3.083 20.579 11.11c0 0.393-0.048 0.8-0.158 1.214-2.222 8.624-20.379 10.246-32.386 10.835-11.356 0.569-28.648 1.861-28.707 7.408-7e-3 0.323 0.049 0.66 0.165 1.004 2.71 8.11 66.09 12.015 106.64 33.061 23.335 12.099 34.94 32.422 40.263 53.418v-166.52c0-12.626-10.243-22.872-22.869-22.872h-211.23z"/></defs><path fill="#fff" stroke-width=".364" d="m131.6 49.002h-15.548v-2.9432h34.296v2.9432h-15.548v44.406h-3.1992v-44.406zm17.914 35.192v-24.378h3.0714v23.994c0 5.119 2.2396 7.6139 7.3583 7.6139 4.6711 0 8.5738-2.4312 12.733-6.3983v-25.21h3.0714v33.592h-3.0714v-5.5662c-3.7112 3.5185-8.0622 6.2705-12.989 6.2705-6.9744-3.6e-4 -10.174-3.8394-10.174-9.918zm39.734 1.7276v-23.355h-5.8867v-2.7512h5.8867v-12.221h3.0713v12.221h8.7658v2.7512h-8.7658v22.907c0 3.5834 1.2159 5.631 5.4388 5.631 1.28 0 2.5593-0.12818 3.5193-0.44792v2.8791c-1.0878 0.19191-2.3674 0.3201-3.7749 0.3201-5.5669 0-8.2545-2.2396-8.2545-7.934zm18.554-0.25601c0-6.3983 5.4388-11.198 23.099-14.141v-2.0477c0-5.1187-2.6875-7.678-7.2942-7.678-5.567 0-9.2781 2.1755-13.053 5.5669l-1.7913-1.9195c4.1591-3.839 8.4456-6.3346 14.908-6.3346 6.9744 0 10.302 3.9672 10.302 10.174v15.804c0 4.0954 0.25601 6.5902 0.95993 8.3178h-3.2632c-0.44792-1.4075-0.76766-3.0713-0.76766-4.9908-4.095 3.5193-8.5742 5.567-13.629 5.567-6.1427 0-9.4697-3.1992-9.4697-8.3182zm23.098-0.25601v-11.581c-16.38 2.8794-20.027 6.9103-20.027 11.645 0 3.7753 2.4956 5.823 6.6543 5.823 4.9912 3.6e-4 9.5338-2.1755 13.373-5.8867zm13.566 7.9981v-33.784h5.5666v5.0549c2.9435-2.8794 7.1667-5.7585 12.669-5.7585 6.4624 0 9.9817 3.7112 9.9817 10.11v24.378h-5.5029v-23.162c0-4.4788-1.9195-6.5906-6.2064-6.5906-4.0309 0-7.4224 2.1114-10.942 5.4388v24.314h-5.5666zm36.278-16.892c0-11.645 7.4224-17.596 15.741-17.596 8.2541 0 15.676 5.9508 15.676 17.596 0 11.581-7.4224 17.596-15.676 17.596s-15.741-6.0149-15.741-17.596zm25.85 0c0-7.0385-3.3914-12.861-10.11-12.861-6.4624 0-10.174 5.2468-10.174 12.861 0 7.1664 3.3274 12.925 10.174 12.925 6.3983 0 10.11-5.1831 10.11-12.925zm16.379 8.702v-21.051h-5.8867v-4.5429h5.8867v-12.029h5.5025v12.029h8.7661v4.5429h-8.7661v19.836c0 3.5834 1.1518 5.375 5.2468 5.375 1.2156 0 2.5593-0.19191 3.4552-0.44792v4.5429c-0.95993 0.19191-3.0717 0.38419-4.7989 0.38419-7.1023-7.3e-4 -9.4056-2.7516-9.4056-8.6387zm20.219 0.19191c0-6.8466 5.8222-11.709 22.586-14.077v-1.5357c0-4.2232-2.2392-6.2705-6.3983-6.2705-5.119 0-8.8939 2.2396-12.221 5.1187l-2.8794-3.4552c3.9031-3.583 8.958-6.2705 15.676-6.2705 8.0622 0 11.261 4.2232 11.261 11.261v14.908c0 4.0954 0.25601 6.5902 0.95993 8.3178h-5.6307c-0.44756-1.4075-0.76766-2.7512-0.76766-4.6708-3.7749 3.5193-7.9981 5.1828-13.053 5.1828-5.823 3.6e-4 -9.5338-3.0706-9.5338-8.5098zm22.586-0.76765v-9.4697c-12.861 2.0477-17.148 5.1828-17.148 9.4059 0 3.2633 2.1755 4.9912 5.6948 4.9912 4.4788-3.6e-4 8.3182-1.8561 11.453-4.9275zm4.3018-37.48c0-3.8769 3.0954-7.0021 6.9719-7.0021s6.942 3.1252 6.942 7.0021c0 3.9067-3.0655 7.032-6.942 7.032s-6.9719-3.1256-6.9719-7.032zm13.102 0c0-3.3958-2.7349-6.2206-6.1303-6.2206s-6.1303 2.8248-6.1303 6.2206c0 3.4257 2.7349 6.2203 6.1303 6.2203s6.1303-2.7946 6.1303-6.2203zm-8.6547-4.0269h2.6147c1.7425 0 2.7043 0.78149 2.7043 2.1034 0 1.2622-0.69081 1.8929-1.7425 2.1034l1.9829 3.6059h-0.99161l-1.9232-3.4858h-1.7731v3.4858h-0.87144zm2.5845 3.5156c1.142 0 1.863-0.3303 1.863-1.3824 0-0.96175-0.72104-1.292-1.8933-1.292h-1.6828v2.6744z"/><g fill="#a01e20" transform="translate(-132.63 -331.29)"><clipPath><use width="1280" height="800" overflow="visible" xlink:href="#a"/></clipPath><path d="m132.63 222.8h256.98v236.49h-256.98z" clip-path="url(#b)" transform="matrix(.36416 0 0 .36416 84.331 271.09)"/></g></svg>

docs/assets/img/email/tutanota.svg

@@ -1 +1 @@
-<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" viewBox="0 0 384 128"><defs><clipPath id="b"><use width="1280" height="800" overflow="visible" xlink:href="#a"/></clipPath><path id="a" d="m155.5 222.8c-12.64 0-22.875 10.246-22.875 22.872v211.23c0 0.801 0.046 1.608 0.123 2.388 8.5-3.167 17.524-6.629 27.054-10.436 66.336-26.48 120.57-48.994 120.62-74.415 0-0.814-0.056-1.636-0.172-2.458-3.43-25.098-63.407-32.879-63.324-44.381 7e-3 -0.611 0.18-1.25 0.548-1.889 7.205-12.619 35.743-12.015 46.253-12.907 10.519-0.913 35.206-0.724 36.399-8.244 0.035-0.232 0.057-0.463 0.057-0.695 0.028-6.987-16.977-9.726-16.977-9.726s20.635 3.083 20.579 11.11c0 0.393-0.048 0.8-0.158 1.214-2.222 8.624-20.379 10.246-32.386 10.835-11.356 0.569-28.648 1.861-28.707 7.408-7e-3 0.323 0.049 0.66 0.165 1.004 2.71 8.11 66.09 12.015 106.64 33.061 23.335 12.099 34.94 32.422 40.263 53.418v-166.52c0-12.626-10.243-22.872-22.869-22.872h-211.23z"/></defs><path stroke-width=".364" d="m131.6 49.002h-15.548v-2.9432h34.296v2.9432h-15.548v44.406h-3.1992v-44.406zm17.914 35.192v-24.378h3.0714v23.994c0 5.119 2.2396 7.6139 7.3583 7.6139 4.6711 0 8.5738-2.4312 12.733-6.3983v-25.21h3.0714v33.592h-3.0714v-5.5662c-3.7112 3.5185-8.0622 6.2705-12.989 6.2705-6.9744-3.6e-4 -10.174-3.8394-10.174-9.918zm39.734 1.7276v-23.355h-5.8867v-2.7512h5.8867v-12.221h3.0713v12.221h8.7658v2.7512h-8.7658v22.907c0 3.5834 1.2159 5.631 5.4388 5.631 1.28 0 2.5593-0.12818 3.5193-0.44792v2.8791c-1.0878 0.19191-2.3674 0.3201-3.7749 0.3201-5.5669 0-8.2545-2.2396-8.2545-7.934zm18.554-0.25601c0-6.3983 5.4388-11.198 23.099-14.141v-2.0477c0-5.1187-2.6875-7.678-7.2942-7.678-5.567 0-9.2781 2.1755-13.053 5.5669l-1.7913-1.9195c4.1591-3.839 8.4456-6.3346 14.908-6.3346 6.9744 0 10.302 3.9672 10.302 10.174v15.804c0 4.0954 0.25601 6.5902 0.95993 8.3178h-3.2632c-0.44792-1.4075-0.76766-3.0713-0.76766-4.9908-4.095 3.5193-8.5742 5.567-13.629 5.567-6.1427 0-9.4697-3.1992-9.4697-8.3182zm23.098-0.25601v-11.581c-16.38 2.8794-20.027 6.9103-20.027 11.645 0 3.7753 2.4956 5.823 6.6543 5.823 4.9912 3.6e-4 9.5338-2.1755 13.373-5.8867zm13.566 7.9981v-33.784h5.5666v5.0549c2.9435-2.8794 7.1667-5.7585 12.669-5.7585 6.4624 0 9.9817 3.7112 9.9817 10.11v24.378h-5.5029v-23.162c0-4.4788-1.9195-6.5906-6.2064-6.5906-4.0309 0-7.4224 2.1114-10.942 5.4388v24.314h-5.5666zm36.278-16.892c0-11.645 7.4224-17.596 15.741-17.596 8.2541 0 15.676 5.9508 15.676 17.596 0 11.581-7.4224 17.596-15.676 17.596s-15.741-6.0149-15.741-17.596zm25.85 0c0-7.0385-3.3914-12.861-10.11-12.861-6.4624 0-10.174 5.2468-10.174 12.861 0 7.1664 3.3274 12.925 10.174 12.925 6.3983 0 10.11-5.1831 10.11-12.925zm16.379 8.702v-21.051h-5.8867v-4.5429h5.8867v-12.029h5.5025v12.029h8.7661v4.5429h-8.7661v19.836c0 3.5834 1.1518 5.375 5.2468 5.375 1.2156 0 2.5593-0.19191 3.4552-0.44792v4.5429c-0.95993 0.19191-3.0717 0.38419-4.7989 0.38419-7.1023-7.3e-4 -9.4056-2.7516-9.4056-8.6387zm20.219 0.19191c0-6.8466 5.8222-11.709 22.586-14.077v-1.5357c0-4.2232-2.2392-6.2705-6.3983-6.2705-5.119 0-8.8939 2.2396-12.221 5.1187l-2.8794-3.4552c3.9031-3.583 8.958-6.2705 15.676-6.2705 8.0622 0 11.261 4.2232 11.261 11.261v14.908c0 4.0954 0.25601 6.5902 0.95993 8.3178h-5.6307c-0.44756-1.4075-0.76766-2.7512-0.76766-4.6708-3.7749 3.5193-7.9981 5.1828-13.053 5.1828-5.823 3.6e-4 -9.5338-3.0706-9.5338-8.5098zm22.586-0.76765v-9.4697c-12.861 2.0477-17.148 5.1828-17.148 9.4059 0 3.2633 2.1755 4.9912 5.6948 4.9912 4.4788-3.6e-4 8.3182-1.8561 11.453-4.9275zm4.3018-37.48c0-3.8769 3.0954-7.0021 6.9719-7.0021 3.8765 0 6.942 3.1252 6.942 7.0021 0 3.9067-3.0655 7.032-6.942 7.032-3.8765 0-6.9719-3.1256-6.9719-7.032zm13.102 0c0-3.3958-2.7349-6.2206-6.1303-6.2206s-6.1303 2.8248-6.1303 6.2206c0 3.4257 2.7349 6.2203 6.1303 6.2203s6.1303-2.7946 6.1303-6.2203zm-8.6547-4.0269h2.6147c1.7425 0 2.7043 0.78149 2.7043 2.1034 0 1.2622-0.69081 1.8929-1.7425 2.1034l1.9829 3.6059h-0.99161l-1.9232-3.4858h-1.7731v3.4858h-0.87144zm2.5845 3.5156c1.142 0 1.863-0.3303 1.863-1.3824 0-0.96175-0.72104-1.292-1.8933-1.292h-1.6828v2.6744z"/><g fill="#a01e20" transform="translate(-132.63 -331.29)"><clipPath><use width="1280" height="800" overflow="visible" xlink:href="#a"/></clipPath><path d="m132.63 222.8h256.98v236.49h-256.98z" clip-path="url(#b)" transform="matrix(.36416 0 0 .36416 84.331 271.09)"/></g></svg>
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 257 237"><defs><path id="a" d="M22.875.003C10.235.003 0 10.249 0 22.875v211.23c0 .801.046 1.608.123 2.388 8.5-3.167 17.524-6.629 27.054-10.436 66.336-26.48 120.57-48.994 120.62-74.415 0-.814-.056-1.636-.172-2.458-3.43-25.098-63.407-32.879-63.324-44.381.007-.611.18-1.25.548-1.889 7.205-12.619 35.743-12.015 46.253-12.907 10.519-.913 35.206-.724 36.399-8.244.035-.232.057-.463.057-.695.028-6.987-16.977-9.726-16.977-9.726s20.635 3.083 20.579 11.11c0 .393-.048.8-.158 1.214-2.222 8.624-20.379 10.246-32.386 10.835-11.356.569-28.648 1.861-28.707 7.408-.007.323.049.66.165 1.004 2.71 8.11 66.09 12.015 106.64 33.061 23.335 12.099 34.94 32.422 40.263 53.418V22.872C256.977 10.246 246.734 0 234.108 0H22.878l-.003.003Z"/></defs><use xlink:href="#a" fill="#A01E20" fill-rule="evenodd"/></svg>

docs/assets/img/file-sharing-sync/bitwarden.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="128" height="128" version="1.1" viewBox="0 0 33.867 33.867"><g stroke-width=".033"><path id="Background" fill="#175ddc" d="m33.867 28.575c0 2.9236-2.368 5.2917-5.2917 5.2917h-23.283c-2.9236 0-5.2917-2.368-5.2917-5.2917v-23.283c0-2.9236 2.368-5.2917 5.2917-5.2917h23.283c2.9236 0 5.2917 2.368 5.2917 5.2917z" class="st0"/><path id="Identity" fill="#fff" d="m27.444 4.2532c-0.21497-0.21497-0.46964-0.32081-0.76068-0.32081h-19.5c-0.29435 0-0.5457 0.10583-0.76068 0.32081s-0.32081 0.46964-0.32081 0.76068v13.001c0 0.96904 0.18852 1.9315 0.56555 2.8873 0.37703 0.9525 0.84667 1.7992 1.4056 2.54 0.55893 0.73753 1.2237 1.4585 1.9976 2.1597 0.77391 0.70115 1.4883 1.2799 2.1398 1.7429 0.65484 0.46302 1.3361 0.89958 2.0472 1.313 0.71107 0.41341 1.2171 0.69122 1.5147 0.83674s0.53909 0.26128 0.71768 0.33734c0.1356 0.06615 0.28112 0.10253 0.43987 0.10253s0.30427-0.03307 0.43987-0.10253c0.1819-0.07937 0.42003-0.19182 0.72099-0.33734 0.29766-0.14552 0.80367-0.42664 1.5147-0.83674 0.71107-0.41341 1.3924-0.84997 2.0472-1.313 0.65484-0.46302 1.3692-1.0451 2.1431-1.7429 0.77391-0.70115 1.4387-1.4188 1.9976-2.1597 0.55893-0.74083 1.0253-1.5842 1.4056-2.54 0.37703-0.9525 0.56555-1.9149 0.56555-2.8873v-12.998c0.0033-0.29435-0.10583-0.54901-0.32081-0.76398zm-2.5135 13.884c0 4.7063-7.997 8.761-7.997 8.761v-20.181h7.997v11.42z" class="st1"/></g></svg>

docs/assets/img/file-sharing-sync/gitannex.svg

@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" width="128" height="128" version="1.1" viewBox="0 0 33.867 33.867"><path d="m15.51 32.89c-2.1261-0.2739-4.3143-2.2842-4.62-4.6427-0.2932-1.9717 0.1298-4.2732 1.7597-5.5744 0.71488-0.48726 1.6873-1.0332 2.5449-0.96823 0.02568 0.8729-0.02568 1.9339 0 2.8068-1.0214 0.11372-2.0101 1.2747-1.9896 2.3377 0.02504 1.3833 0.63725 2.6543 1.9681 3.0683 1.4721 0.49534 3.1573 0.35446 4.52-0.46907 1.1258-0.87713 1.2299-2.5102 0.64111-3.753-0.26486-0.6839-0.83579-1.186-1.6107-1.1839v2.4347h-2.185v-5.2415h6.6168v1.8849l-1.8124 0.01676c1.6912 0.9641 1.8646 3.0449 1.7779 4.4885 0.06093 2.4798-2.389 4.5017-4.819 4.772-0.87912 0.06591-1.623 0.06938-2.792 0.02322z" style="fill:#666;stroke-width:.13483"/><path d="m10.783 20.663-0.01389-2.7507h12.404l-0.0014 2.7639-12.389-0.01325z" style="fill:#d8382d;stroke-width:.13483"/><path d="m15.511 16.946v-2.9437h-4.8088v-2.5617h4.8088v-3.3032h2.8763v3.3032h4.7863v2.5617h-4.7863l-0.04742 2.9376-2.8289 0.0061z" style="fill:#40bf4c;stroke-width:.13483"/><path d="m2.8693 0.94568-2.8693 4.0111h1.5926c0.00327 0.44336 0.040782 0.88004 0.10533 1.3061l2.5322-0.38341c-0.045291-0.30133-0.072595-0.60958-0.07584-0.92272h1.5842zm1.5589 5.8354-2.4479 0.73733c0.12454 0.41298 0.27594 0.81477 0.45504 1.2008l2.3215-1.0744c-0.1289-0.27809-0.23949-0.56604-0.32864-0.86373zm0.76682 1.6516-2.153 1.3862c0.96876 1.5022 2.3657 2.703 4.0195 3.4254l1.0238-2.3468c-1.1908-0.51967-2.194-1.3829-2.8903-2.4648zm3.7414 2.7639-0.69098 2.469c0.39093 0.10931 0.79089 0.19165 1.2008 0.24859l0.35392-2.5364c-0.29453-0.041434-0.58263-0.10254-0.86373-0.18117z" style="fill-rule:evenodd;fill:#40bf4c"/><path d="m30.997 0.94568-2.8693 4.0111h1.5926c-0.0032 0.31314-0.03055 0.62139-0.07584 0.92272l2.5322 0.38341c0.06455-0.42609 0.10206-0.86277 0.10533-1.3061h1.5842zm-1.5505 5.8354c-0.08915 0.29769-0.19974 0.58564-0.32864 0.86373l2.3215 1.0744c0.1791-0.38602 0.3305-0.78782 0.45504-1.2008zm-0.76682 1.6516c-0.69629 1.0819-1.6996 1.9451-2.8903 2.4648l1.0238 2.3468c1.6538-0.72247 3.0507-1.9232 4.0195-3.4254zm-3.7414 2.7639c-0.2811 0.07864-0.5692 0.13974-0.86373 0.18117l0.35392 2.5364c0.40991-0.05694 0.80986-0.13928 1.2008-0.24859z" style="fill-rule:evenodd;fill:#40bf4c"/></svg>

docs/assets/img/messengers/molly.svg

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg width="127.99" height="128" version="1.1" viewBox="0 0 33.864 33.867" xmlns="http://www.w3.org/2000/svg"><g transform="translate(-48.383 -89.279)"><g transform="matrix(.083544 0 0 .083551 36.799 77.694)"><path d="m220.51 504.06 120.82 39.937 1.2e-4 4e-5 -143.92-5e-5zm323.49-162.73c0 111.93-90.737 202.67-202.67 202.67-111.93-1e-5 -202.67-90.737-202.67-202.67s90.737-202.67 202.67-202.67c111.93 0 202.67 90.737 202.67 202.67z" fill="#7663f0"/><g transform="translate(-5.1601e-6,-4.0973)"><circle cx="341" cy="433.47" r="23.536" fill="#f9f8fe" stroke-width=".64448"/><circle cx="439.19" cy="375.64" r="23.536" fill="#aaa4ce" stroke-width=".64448"/><circle cx="242.81" cy="375.64" r="23.536" fill="#cba1fe" stroke-width=".64447"/><g stroke-width=".64448"><circle cx="439.19" cy="433.47" r="23.536" fill="#f9f8fe"/><circle cx="439.19" cy="317.82" r="23.536" fill="#aacdf4"/><circle cx="242.81" cy="260" r="23.536" fill="#4b0f9f"/></g><circle cx="242.81" cy="317.82" r="23.536" fill="#aaa4ce" stroke-width=".64447"/><g stroke-width=".64448"><circle cx="242.81" cy="433.47" r="23.536" fill="#f9f8fe"/><circle cx="341" cy="317.82" r="23.536" fill="#4b0f9f"/><circle cx="341" cy="375.64" r="23.536" fill="#aacdf4"/></g><circle cx="439.19" cy="260" r="23.536" fill="#4b0f9f" stroke-width=".64447"/></g></g></g></svg>

docs/assets/img/metadata-removal/exiferaser.svg

@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg id="vector" version="1.1" viewBox="0 0 128 128" xmlns="http://www.w3.org/2000/svg">
+ <g id="group" transform="matrix(2.5666 0 0 2.5666 -73.625 -74.595)">
+  <path id="path" d="m28.686 54c0-6.611 2.629-12.958 7.304-17.632 4.674-4.675 11.021-7.304 17.632-7.304s12.958 2.629 17.633 7.304c4.674 4.674 7.303 11.021 7.303 17.632s-2.629 12.958-7.303 17.632c-4.675 4.675-11.022 7.304-17.633 7.304s-12.958-2.629-17.632-7.304c-4.675-4.674-7.304-11.021-7.304-17.632" fill="#fff"/>
+  <path d="m48.42 40.201v21.793h21.795v-21.793zm2.8184 2.8184h16.156v11.051l-4.1621-4.0703-4.9883 5.3047-3.1465-3.0469-3.8594 4.1738zm6.4609 1.9727c-1.1964 0.01026-2.4063 1.0128-2.334 2.2812-0.0012 0.186 0.02158 0.37225 0.06641 0.55273 0.27682 1.4976 2.226 2.1821 3.4512 1.3633 1.3815-0.81242 1.3037-3.0455-0.04102-3.8496-0.34791-0.2441-0.74378-0.35108-1.1426-0.34766z" fill="#009688"/>
+  <path d="m43.2 48.735c-0.807 0-1.461-0.654-1.461-1.461v-6.667c0-3.679 2.993-6.673 6.672-6.673s6.7339 2.5864 6.7339 6.2654l-2.9045 0.01627c0-2.068-1.7614-3.3587-3.8294-3.3587s-3.75 1.682-3.75 3.75v6.667c0 0.807-0.654 1.461-1.461 1.461zm0-6.787-7.013 6.818v20.141h14.026v-20.141zm0 7.429c-1.143 0-2.07-0.927-2.07-2.07s0.927-2.07 2.07-2.07 2.07 0.927 2.07 2.07-0.927 2.07-2.07 2.07z" fill="#00675b"/>
+ </g>
+</svg>

docs/assets/img/metadata-removal/imagepipe.svg

@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" width="128" height="128" version="1.1" viewBox="0 0 33.867 33.867"><g transform="matrix(.88305 0 0 .88305 -59.285 -61.488)"><circle cx="86.313" cy="88.808" r="19.176" style="fill:#d800d0"/><rect width="14.167" height="20.064" x="78.814" y="74.444" style="-inkscape-stroke:none;fill-rule:evenodd;fill:#80d6ff;font-variation-settings:normal;stop-color:#000;stroke-width:.26492"/><rect width="15.95" height="10.65" x="-4.845" y="121.46" transform="rotate(-44.162)" style="-inkscape-stroke:none;fill-rule:evenodd;fill:#42a5f5;font-variation-settings:normal;stop-color:#000;stroke-width:.29441"/><rect width="11.861" height="8.557" x="85.189" y="91.475" style="-inkscape-stroke:none;fill-rule:evenodd;fill:#0077c2;font-variation-settings:normal;stop-color:#000;stroke-width:.26458"/></g></svg>

docs/assets/img/productivity/framadate.svg

@@ -1,2 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<svg width="128" height="128" version="1.1" viewBox="0 0 33.867 33.867" xmlns="http://www.w3.org/2000/svg"><g transform="matrix(9.188 0 0 9.188 -199.4 -1004)"><g transform="matrix(.0067972 0 0 .0067972 21.591 109.2)" fill="#725794"><circle cx="74.91" cy="180.35" r="55"/><circle cx="137.6" cy="317.44" r="42.5"/><circle cx="189.82" cy="434.27" r="31"/></g><g transform="matrix(.0067972 0 0 .0067972 21.591 109.2)" fill="#dd6418"><circle cx="515.92" cy="412.86" r="26"/><circle cx="499.71" cy="484.31" r="21"/></g><path d="m24.895 110.26c-0.03969 0.0132-0.16933-5e-3 -0.16933-5e-3 0.03704 0.0238 0.06086 0.0873 0.05821 0.1323-0.127-0.0159-0.17727-0.0582-0.29369-0.11907 0 0 0.07937 0.0953 0.15875 0.15082 0.14288 0.10847 0.27252 0.23812 0.3519 0.36247 0.03969 0.0609 0.05027 0.0688 0.05292 0.0423a0.87312 0.87312 0 0 0-0.13758-0.49477c-0.01588-0.0238-0.01852-0.0503-0.02117-0.0688z" fill="#dd6418" style="stroke-width:.26458"/><path d="m21.837 109.27c-0.03969 0-0.06085 0.0344-0.03175 0.0609 1.3097 0.62177 1.1165 1.2092 1.2859 1.8838 0.04498 0.18256 0.34925 1.6034 1.95 1.741 0.06085 5e-3 0.07937-0.0661 0.01588-0.082-1.307-0.34925-1.6219-2.6326-0.70908-2.7173 0.127-0.0106 0.16669 0.0423 0.26458 0.0741 0.09525 0.0318 0.24606 0.0423 0.29104 0.0344 0.08467-0.15875-0.06615-0.33866-0.19315-0.47096 0.13758-0.09 0.58208-0.18785 0.635-0.21166 0.0344-0.0132 0.01852-0.0661-0.01058-0.0714-0.20373 0.0132-0.68792 0.0529-0.90752 0.13758-0.38365-0.23283-0.88371-0.0529-1.1377 0.34396-0.25929-0.37835-0.62442-0.48948-1.4552-0.72231zm2.1484 0.35454c0.19579 0 0.1905 0.082-0.0635 0.16933a0.99483 0.99483 0 0 0-0.62971 0.58209c-0.0291-0.045 0.11377-0.67734 0.69321-0.75142z" style="stroke-width:.26458"/></g></svg>

docs/assets/img/productivity/vscodium.svg

@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" width="128" height="128" version="1.1" viewBox="0 0 33.867 33.867"><defs><linearGradient id="Gradient_1" x1="2.763" x2="94.027" y1="-.313" y2="95.408" gradientUnits="userSpaceOnUse"><stop offset="0" stop-color="#56CCF2"/><stop offset="1" stop-color="#2F80ED"/></linearGradient></defs><g transform="matrix(.33867 0 0 .33867 .010977 .10601)"><path id="Shape" fill="url(#Gradient_1)" d="m63.697 1.417c0.657-1.036 1.832-1.725 3.066-1.73 1.729-4e-3 3.375 0.967 4.376 2.35 0.943 1.322 1.234 2.993 1.236 4.589-0.015 2.244-0.532 4.449-1.148 6.596-1.539 5.067-3.63 9.946-5.192 15.007-1.72 5.743-2.545 12.143-0.234 17.845 1.208-3.372 2.403-6.751 3.607-10.127 0.342-0.892 0.792-1.906 1.748-2.272 1.331-0.474 2.688 0.915 2.649 2.201-0.364 1.873-1.07 3.658-1.626 5.48-4.503 13.536-9.546 26.885-14.402 40.299 6.458-5.905 12.936-11.788 19.402-17.682 1.861-1.694 3.879-3.54 4.449-6.1 0.569-2.513-0.489-5.007-1.688-7.165-1.385-2.575-3.153-5.024-3.803-7.922-0.327-1.501-0.228-3.228 0.784-4.458 0.73-0.926 2.059-1.404 3.18-0.952 1.107 0.423 1.775 1.486 2.298 2.49 1.757 3.525 2.853 7.377 3.23 11.299 1.2-2.421 2.414-4.832 3.616-7.251 0.726-1.425 1.367-2.954 2.545-4.08 0.711-0.702 1.747-1.144 2.75-0.916 1.258 0.278 2.141 1.422 2.479 2.61 0.383 1.262-0.022 2.576-0.429 3.775-1.212 3.353-3.116 6.387-4.951 9.424-2.558 4.02-5.275 7.943-8.241 11.675 1.695-1.132 3.48-2.323 5.556-2.56 1.964-0.263 4.135 0.887 4.785 2.804 0.435 1.305-0.269 2.782-1.451 3.419-1.734 0.967-3.786 0.954-5.713 1.04-6.993 0.192-13.808 3.635-18.147 9.116-3.424 4.371-5.173 9.802-8.648 14.137-2.192 2.642-5.289 5.959-8.696 5.226-4.537-0.975-4.537-8.066-5.668-11.581-0.583-1.772-1.677-3.391-3.195-4.496-1.327-0.98-2.916-1.542-4.522-1.85-3.687-0.708-7.49-0.334-11.168-1.094-1.841-0.375-3.654-1.113-5.06-2.386-1.34-1.176-2.266-2.75-2.908-4.397-1.386-3.588-1.668-7.481-2.9-11.114-1.783-5.23-5.311-9.854-9.906-12.925-0.969-0.654-2.022-1.292-2.649-2.312-0.51-0.797-0.465-1.93 0.203-2.625 1.126-1.226 3.161-1.327 4.462-0.313 2.666 1.891 3.051 5.565 5.536 7.621 4e-3 -3.394-0.013-6.785-0.019-10.177 8e-3 -0.98-0.101-2.035 0.389-2.926 0.446-0.844 1.68-1.073 2.397-0.44 0.969 0.812 1.264 2.137 1.402 3.336 0.482 4.675 0.948 9.352 1.432 14.03 2.436-2.188 3.555-5.739 2.767-8.924-0.239-1.017-0.626-2.063-0.407-3.118 0.179-0.885 1.118-1.508 2.003-1.35 0.995 0.135 1.705 0.988 2.078 1.864 0.594 1.452 0.596 3.069 0.476 4.611-0.353 3.512-1.839 6.755-2.864 10.097-0.999 2.95-1.686 6.228-0.685 9.275 0.892 2.849 3.153 5.101 5.806 6.378 3.275 1.609 6.964 2.109 10.573 2.251-2.194-3.84-4.58-7.903-4.539-12.471 0.043-4.599 2.967-8.473 3.757-12.912 1.346-7.364-1.977-15.369-8.163-19.594-2.748-1.888-6.047-2.728-8.87-4.479-2.554-1.563-4.848-4.345-4.447-7.513 1.94-0.751 4.106-0.271 5.857 0.737 3.422 1.826 5.599 5.288 9.038 7.086 1.208 0.659 2.593 0.985 3.969 0.901 0.745-1.786 0-3.786-1.202-5.177-2.261-2.724-6.077-3.385-8.441-5.989-1.185-1.359-1.846-3.301-1.348-5.078 0.405-1.404 1.858-2.36 3.305-2.254 2.143 0.133 3.988 1.475 5.453 2.952 4.847 4.845 7.636 11.435 8.73 18.132 1.292 7.899 0.288 15.957-1.303 23.735-0.297 1.585-0.853 3.21-0.442 4.828 0.177 0.749 0.717 1.522 1.547 1.589 1.141 0.073 2.084-0.704 2.915-1.385 2.599-2.123 4.665-4.981 5.517-8.254 0.666-2.386 0.685-4.884 0.638-7.341 0.013-1.229-0.078-2.586 0.657-3.65 0.525-0.822 1.505-1.468 2.513-1.229 0.79 0.15 1.35 0.835 1.591 1.569 0.388 1.209 0.329 2.514 0.095 3.747-0.743 3.403-1.415 6.85-2.761 10.081-0.95 2.319-2.233 4.524-3.971 6.341-1.916 2.031-4.283 3.659-5.827 6.026-1.053 1.617-1.734 3.626-1.277 5.558 0.334 1.541 1.507 2.799 2.922 3.441 2.061 0.941 4.563 0.893 6.572-0.166 1.594-0.862 2.727-2.352 3.629-3.883 1.589-2.754 2.552-5.812 3.351-8.874 1.229-4.944 1.953-10.013 2.237-15.1 0.325-5.433-0.661-11.051-3.4-15.797-1.456-2.541-3.515-4.705-5.92-6.361-2.166-1.611-4.548-3.006-6.305-5.093-1.643-1.934-2.782-4.544-2.184-7.111 1.124-0.706 2.543-0.829 3.788-0.387 2.349 0.799 4.189 2.685 5.375 4.819 1.611 2.515 2.955 5.508 5.793 6.874-2.309-4.542-4.69-9.045-7.027-13.571-0.76-1.529-1.509-3.2-1.311-4.949 0.144-1.333 1.382-2.426 2.719-2.42 1.187 4e-3 2.3 0.672 3.007 1.602 0.807 1.047 1.193 2.337 1.557 3.59 1.862 6.482 3.723 12.961 5.592 19.441 2.349-4.475 3.342-9.66 2.674-14.682-0.292-2.662-1.074-5.233-1.694-7.83-0.422-1.699-0.295-3.605 0.674-5.101z" style="fill:url(#Gradient_1)"/></g></svg>

docs/assets/img/productivity/writeas-dark.svg

@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" width="128" height="128" version="1.1" viewBox="0 0 33.867 33.867"><g><path fill="#fff" d="m0 0 5.805-20.007c0.285-1.016 0.586-2.114 0.902-3.293 0.32-1.18 0.609-2.266 0.871-3.258h0.066c0.145 0.992 0.387 2.058 0.727 3.207 0.344 1.144 0.656 2.187 0.941 3.133l2.797 9.172c0.211 0.66 0.399 1.257 0.567 1.789 0.164 0.531 0.336 1.019 0.511 1.468 0.18 0.446 0.348 0.871 0.516 1.274 0.164 0.402 0.352 0.801 0.567 1.203v0.07l-4.18-0.281v5.523h13.773v-4.64c-0.969 0-1.816-0.317-2.547-0.953-0.734-0.637-1.363-1.395-1.894-2.266-0.535-0.875-0.969-1.75-1.313-2.621-0.343-0.875-0.597-1.547-0.761-2.02l-8.25-23.972h-7.684l-4.992 15.472c-0.141 0.379-0.32 0.918-0.531 1.614-0.211 0.695-0.43 1.453-0.657 2.265-0.222 0.817-0.461 1.661-0.707 2.532-0.246 0.875-0.476 1.699-0.691 2.48h-0.07c-0.141-1.016-0.372-2.156-0.692-3.418-0.316-1.262-0.648-2.496-0.992-3.699-0.34-1.203-0.66-2.289-0.953-3.258-0.297-0.969-0.516-1.652-0.656-2.055l-4-11.933h-7.188l-8.781 25.14c-0.332 0.922-0.59 1.664-0.781 2.231-0.188 0.566-0.348 1.059-0.477 1.473-0.133 0.41-0.23 0.781-0.301 1.113-0.07 0.332-0.156 0.707-0.25 1.133l-2.832-0.141v5.523h17.387v-4.64c-1.016-0.07-1.73-0.375-2.145-0.918-0.414-0.543-0.617-1.242-0.617-2.09-0.023-0.402 4e-3 -0.828 0.086-1.273 0.086-0.45 0.196-0.911 0.34-1.383l2.441-8.852c0.286-1.062 0.559-2.179 0.832-3.347 0.27-1.168 0.489-2.356 0.657-3.559h0.07c0.117 0.52 0.234 1.051 0.356 1.594 0.117 0.543 0.246 1.129 0.386 1.754 0.145 0.625 0.309 1.312 0.496 2.054 0.192 0.742 0.414 1.563 0.676 2.457l5.309 18.203z" transform="matrix(.52961 0 0 -.52961 18.079 7.2492)"/></g><g><path fill="#5bc4ee" d="m0 0c0-3.285-2.664-5.949-5.949-5.949s-5.945 2.664-5.945 5.949 2.66 5.949 5.945 5.949 5.949-2.664 5.949-5.949" transform="matrix(.52961 0 0 -.52961 33.867 23.467)"/></g></svg>

docs/assets/img/productivity/writeas.svg

@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" width="128" height="128" version="1.1" viewBox="0 0 33.867 33.867"><g><path fill="#262424" d="m0 0 5.805-20.007c0.285-1.016 0.586-2.114 0.902-3.293 0.32-1.18 0.609-2.266 0.871-3.258h0.066c0.145 0.992 0.387 2.058 0.727 3.207 0.344 1.144 0.656 2.187 0.941 3.133l2.797 9.172c0.211 0.66 0.399 1.257 0.567 1.789 0.164 0.531 0.336 1.019 0.511 1.468 0.18 0.446 0.348 0.871 0.516 1.274 0.164 0.402 0.352 0.801 0.567 1.203v0.07l-4.18-0.281v5.523h13.773v-4.64c-0.969 0-1.816-0.317-2.547-0.953-0.734-0.637-1.363-1.395-1.894-2.266-0.535-0.875-0.969-1.75-1.313-2.621-0.343-0.875-0.597-1.547-0.761-2.02l-8.25-23.972h-7.684l-4.992 15.472c-0.141 0.379-0.32 0.918-0.531 1.614-0.211 0.695-0.43 1.453-0.657 2.265-0.222 0.817-0.461 1.661-0.707 2.532-0.246 0.875-0.476 1.699-0.691 2.48h-0.07c-0.141-1.016-0.372-2.156-0.692-3.418-0.316-1.262-0.648-2.496-0.992-3.699-0.34-1.203-0.66-2.289-0.953-3.258-0.297-0.969-0.516-1.652-0.656-2.055l-4-11.933h-7.188l-8.781 25.14c-0.332 0.922-0.59 1.664-0.781 2.231-0.188 0.566-0.348 1.059-0.477 1.473-0.133 0.41-0.23 0.781-0.301 1.113-0.07 0.332-0.156 0.707-0.25 1.133l-2.832-0.141v5.523h17.387v-4.64c-1.016-0.07-1.73-0.375-2.145-0.918-0.414-0.543-0.617-1.242-0.617-2.09-0.023-0.402 4e-3 -0.828 0.086-1.273 0.086-0.45 0.196-0.911 0.34-1.383l2.441-8.852c0.286-1.062 0.559-2.179 0.832-3.347 0.27-1.168 0.489-2.356 0.657-3.559h0.07c0.117 0.52 0.234 1.051 0.356 1.594 0.117 0.543 0.246 1.129 0.386 1.754 0.145 0.625 0.309 1.312 0.496 2.054 0.192 0.742 0.414 1.563 0.676 2.457l5.309 18.203z" transform="matrix(.52961 0 0 -.52961 18.079 7.2516)"/></g><g><path fill="#5bc4ee" d="m0 0c0-3.285-2.664-5.949-5.949-5.949s-5.945 2.664-5.945 5.949 2.66 5.949 5.945 5.949 5.949-2.664 5.949-5.949" transform="matrix(.52961 0 0 -.52961 33.867 23.464)"/></g></svg>

docs/assets/img/search-engines/duckduckgo-dark.svg

@@ -1,2 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<svg width="128" height="128" version="1.1" viewBox="0 0 33.867 33.867" xmlns="http://www.w3.org/2000/svg"><g transform="matrix(.16306 0 0 .16306 -7.3167e-8 3.5791)" fill="none" fill-rule="evenodd"><g transform="translate(42.5)"><circle cx="60" cy="60" r="60" fill="#de5833" fill-rule="nonzero"/><path d="m110.8 38.5c-2.8-6.6-6.8-12.5-11.8-17.5-5.1-5.1-11-9-17.5-11.8-6.8-2.9-14-4.3-21.5-4.3-7.4 0-14.7 1.5-21.5 4.3-6.6 2.7-12.5 6.7-17.5 11.8-5.1 5.1-9 11-11.8 17.5-2.9 6.8-4.3 14-4.3 21.5s1.5 14.7 4.3 21.5c2.8 6.6 6.8 12.5 11.8 17.5 5.1 5.1 11 9 17.5 11.8 6.8 2.9 14 4.3 21.5 4.3 7.4 0 14.7-1.5 21.5-4.3 6.5-2.8 12.4-6.8 17.5-11.8 5.1-5.1 9-11 11.8-17.5 2.9-6.8 4.3-14 4.3-21.5s-1.4-14.7-4.3-21.5zm-38.8 71c-3.2-5.4-11.6-20.5-11.6-31.7 0-25.8 17.3-3.7 17.3-24.3 0-4.9-2.4-22.1-17.4-25.7-3.7-4.9-12.4-9.6-26.2-7.7 0 0 2.3 0.7 4.9 2 0 0-5 0.7-5.2 4.1 0 0 9.9-0.5 15.5 1.3-12.9 1.7-19.5 8.5-18.3 20.8 1.7 17.5 9.1 48.7 11.7 59.6-19.6-7-33.7-25.8-33.7-47.9 0-28.1 22.8-51 51-51s51 22.8 51 51c-0.1 24-16.7 44.1-39 49.5z" fill="#fff" fill-rule="nonzero"/><path d="m57.2 68.3c0-6.6 9-8.7 12.4-8.7 9.2 0 22.2-5.9 25.4-5.8 3.3 0.1 5.4 1.4 5.4 2.9 0 2.2-18.4 10.5-25.5 9.8-6.8-0.6-8.4 0.1-8.4 2.9 0 2.4 4.9 4.6 10.3 4.6 8.1 0 16-3.6 18.4-1.9 2.1 1.5-5.5 6.9-14.2 6.9s-23.8-4.1-23.8-10.7z" fill="#fed30a"/><g fill-rule="nonzero"><g fill="#2d4f8d"><path d="m73.2 40.3c-2.4-3.1-6.7-3.2-8.2 0.4 2.3-1.8 5.1-2.2 8.2-0.4zm-26.7 0.1c-3.3-2-8.8-2.2-8.5 4.1 1.6-3.9 3.8-4.6 8.5-4.1zm24.7 5.8c-1.8 0-3.3 1.5-3.3 3.3s1.5 3.3 3.3 3.3 3.3-1.5 3.3-3.3-1.5-3.3-3.3-3.3zm1.2 3.1c-0.5 0-1-0.4-1-1 0-0.5 0.4-1 1-1s1 0.4 1 1c-0.1 0.5-0.5 1-1 1zm-26.8-1.3c-2.1 0-3.8 1.7-3.8 3.8s1.7 3.8 3.8 3.8 3.8-1.7 3.8-3.8-1.7-3.8-3.8-3.8zm1.4 3.5c-0.6 0-1.1-0.5-1.1-1.1s0.5-1.1 1.1-1.1 1.1 0.5 1.1 1.1-0.5 1.1-1.1 1.1z"/></g><g fill="#d5d7d8"><path d="m37.3 31.8c-4.8 3.5-7 8.9-6.3 16.5 1.7 17.5 9.1 48.8 11.7 59.7l2.7 0.9c-1.6-6.6-9.3-38.8-12.7-63.5-0.9-6.6 1.7-10.5 4.6-13.6zm11.9-4.3c0.4 0 0.7-0.1 0.7-0.1-5.2-2.5-13.4-2.6-15.6-2.6-0.2 0.4-0.4 0.9-0.4 1.4-0.1 0.1 9.6-0.5 15.3 1.3zm-9.4-5.4c-1.6-1.1-2.9-1.8-3.7-2.2-0.7 0.1-1.3 0.1-2 0.2 0 0 2.3 0.7 4.9 2h-0.2z"/></g><path d="m80.1 88.6c-1.7-0.4-8.3 4.3-10.8 6.1-0.1-0.5-0.2-0.9-0.3-1.1-0.3-1-6.7-0.4-8.2 1.2-4-1.9-12-5.6-12.1-3.3-0.3 3 0 15.5 1.6 16.4 1.2 0.7 8-3 11.4-4.9h0.1c2.1 0.5 6 0 7.4-0.9 0.2-0.1 0.3-0.3 0.4-0.5 3.1 1.2 9.8 3.6 11.2 3.1 1.8-0.5 1.4-15.6-0.7-16.1z" fill="#67bd47"/><path d="m61.8 103c-2.1-0.4-1.4-2.5-1.4-7.4-0.5 0.3-0.9 0.7-0.9 1.1 0 4.9-0.8 7.1 1.4 7.4 2.1 0.5 6 0 7.6-0.9 0.3-0.2 0.4-0.5 0.5-1-1.5 0.9-5.2 1.3-7.2 0.8z" fill="#43a347"/></g></g><g fill="#fff" fill-rule="nonzero"><path d="m0 161.6v-24.6h8.9c8.5 0 12.4 6.2 12.4 12 0 6.3-3.8 12.6-12.4 12.6zm2.8-2.9h6.1c6.6 0 9.5-4.9 9.5-9.8 0-4.5-3-9.3-9.5-9.3h-6.1zm29.7 3.2c-4.6 0-7.5-3.1-7.5-8v-9.6h2.7v9.5c0 3.5 2 5.6 5.4 5.6 3.2 0 5.5-2.5 5.5-5.8v-9.3h2.7v17.3h-2.4l-0.2-3-0.4 0.5c-1.5 1.8-3.4 2.7-5.8 2.8zm21.7 0c-4.5 0-9-2.8-9-8.9 0-5.4 3.6-8.9 9-8.9 2.4 0 4.4 0.8 6.2 2.5l-1.7 1.7c-1.2-1.1-2.8-1.7-4.4-1.7-3.8 0-6.4 2.6-6.4 6.4 0 4.4 3.2 6.4 6.4 6.4 1.8 0 3.4-0.6 4.6-1.8l1.7 1.7c-1.8 1.7-4 2.6-6.4 2.6zm20.9-0.3-8.5-8.5v8.5h-2.6v-24.6h2.6v14.9l7.4-7.6h3.5l-8.2 8.1 9.2 9.1v0.1zm6.6 0v-24.6h8.9c8.5 0 12.4 6.2 12.4 12 0 6.3-3.8 12.6-12.4 12.6zm2.9-2.9h6.1c6.6 0 9.5-4.9 9.5-9.8 0-4.5-3-9.3-9.5-9.3h-6.1zm29.6 3.2c-4.6 0-7.5-3.1-7.5-8v-9.6h2.7v9.5c0 3.5 2 5.6 5.4 5.6 3.2 0 5.5-2.5 5.5-5.8v-9.3h2.7v17.3h-2.4l-0.1-3-0.4 0.5c-1.5 1.8-3.5 2.7-5.9 2.8zm21.7 0c-4.5 0-9-2.8-9-8.9 0-5.4 3.6-8.9 9-8.9 2.4 0 4.4 0.8 6.2 2.5l-1.7 1.7c-1.2-1.1-2.8-1.7-4.4-1.7-3.8 0-6.4 2.6-6.4 6.4 0 4.4 3.2 6.4 6.4 6.4 1.8 0 3.4-0.6 4.6-1.8l1.7 1.7-0.1 0.1c-1.7 1.7-3.8 2.5-6.3 2.5zm20.9-0.3-8.4-8.5v8.5h-2.6v-24.6h2.6v14.9l7.4-7.6h3.4l-8.1 8.1 9.1 9.1v0.1zm17.3 0.4c-9.5 0-12.8-6.8-12.8-12.5 0-3.8 1.3-7.1 3.6-9.5 2.3-2.3 5.5-3.5 9.2-3.5 3.4 0 6.5 1.3 8.9 3.6l-1.6 1.9c-1.9-1.8-4.7-2.9-7.3-2.9-6.9 0-10 5.4-10 10.4 0 4.9 3.1 9.9 10.1 9.9 2.5 0 4.9-0.9 6.8-2.5l0.1-0.1v-6.1h-7.7v-2.5h10.3v9.6c-2.7 2.9-5.8 4.2-9.6 4.2zm21.8-0.1c-5.2 0-8.9-3.7-8.9-8.9s3.8-9.1 8.9-9.1c5.3 0 9 3.7 9 9.1-0.1 5.1-3.8 8.9-9 8.9zm0-15.6c-3.7 0-6.3 2.7-6.3 6.6 0 3.7 2.6 6.4 6.3 6.4s6.3-2.6 6.4-6.4c-0.1-3.8-2.7-6.6-6.4-6.6z"/><path d="m206.4 162.2c0.2-0.1 0.3-0.2 0.3-0.4s-0.1-0.3-0.2-0.4-0.3-0.1-0.6-0.1-0.5 0-0.6 0.1v1.6h0.4v-0.7h0.2c0.2 0 0.3 0.1 0.3 0.3 0.1 0.2 0.1 0.3 0.1 0.4h0.4c0-0.1-0.1-0.2-0.1-0.4s-0.1-0.3-0.2-0.4zm-0.5-0.1h-0.2v-0.5h0.2c0.2 0 0.3 0.1 0.3 0.2 0.1 0.2 0 0.3-0.3 0.3z"/><path d="m206 160.5c-0.9 0-1.7 0.7-1.7 1.6s0.7 1.7 1.7 1.7c0.9 0 1.7-0.7 1.7-1.7 0-0.9-0.7-1.6-1.7-1.6zm0 3c-0.7 0-1.3-0.6-1.3-1.3s0.5-1.3 1.3-1.3c0.7 0 1.3 0.6 1.3 1.3s-0.6 1.3-1.3 1.3z"/></g></g></svg>

docs/assets/img/search-engines/duckduckgo.svg

@@ -1,2 +1 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<svg width="128" height="128" version="1.1" viewBox="0 0 33.867 33.867" xmlns="http://www.w3.org/2000/svg"><g transform="matrix(.16306 0 0 .16306 -6.7576e-5 3.579)" fill="none" fill-rule="evenodd"><g transform="translate(42.5)"><circle cx="60" cy="60" r="60" fill="#de5833" fill-rule="nonzero"/><path d="m110.8 38.5c-2.8-6.6-6.8-12.5-11.8-17.5-5.1-5.1-11-9-17.5-11.8-6.8-2.9-14-4.3-21.5-4.3-7.4 0-14.7 1.5-21.5 4.3-6.6 2.7-12.5 6.7-17.5 11.8-5.1 5.1-9 11-11.8 17.5-2.9 6.8-4.3 14-4.3 21.5s1.5 14.7 4.3 21.5c2.8 6.6 6.8 12.5 11.8 17.5 5.1 5.1 11 9 17.5 11.8 6.8 2.9 14 4.3 21.5 4.3 7.4 0 14.7-1.5 21.5-4.3 6.5-2.8 12.4-6.8 17.5-11.8 5.1-5.1 9-11 11.8-17.5 2.9-6.8 4.3-14 4.3-21.5s-1.4-14.7-4.3-21.5zm-38.8 71c-3.2-5.4-11.6-20.5-11.6-31.7 0-25.8 17.3-3.7 17.3-24.3 0-4.9-2.4-22.1-17.4-25.7-3.7-4.9-12.4-9.6-26.2-7.7 0 0 2.3 0.7 4.9 2 0 0-5 0.7-5.2 4.1 0 0 9.9-0.5 15.5 1.3-12.9 1.7-19.5 8.5-18.3 20.8 1.7 17.5 9.1 48.7 11.7 59.6-19.6-7-33.7-25.8-33.7-47.9 0-28.1 22.8-51 51-51s51 22.8 51 51c-0.1 24-16.7 44.1-39 49.5z" fill="#fff" fill-rule="nonzero"/><path d="m57.2 68.3c0-6.6 9-8.7 12.4-8.7 9.2 0 22.2-5.9 25.4-5.8 3.3 0.1 5.4 1.4 5.4 2.9 0 2.2-18.4 10.5-25.5 9.8-6.8-0.6-8.4 0.1-8.4 2.9 0 2.4 4.9 4.6 10.3 4.6 8.1 0 16-3.6 18.4-1.9 2.1 1.5-5.5 6.9-14.2 6.9s-23.8-4.1-23.8-10.7z" fill="#fed30a"/><g fill-rule="nonzero"><g fill="#2d4f8d"><path d="m73.2 40.3c-2.4-3.1-6.7-3.2-8.2 0.4 2.3-1.8 5.1-2.2 8.2-0.4zm-26.7 0.1c-3.3-2-8.8-2.2-8.5 4.1 1.6-3.9 3.8-4.6 8.5-4.1zm24.7 5.8c-1.8 0-3.3 1.5-3.3 3.3s1.5 3.3 3.3 3.3 3.3-1.5 3.3-3.3-1.5-3.3-3.3-3.3zm1.2 3.1c-0.5 0-1-0.4-1-1 0-0.5 0.4-1 1-1s1 0.4 1 1c-0.1 0.5-0.5 1-1 1zm-26.8-1.3c-2.1 0-3.8 1.7-3.8 3.8s1.7 3.8 3.8 3.8 3.8-1.7 3.8-3.8-1.7-3.8-3.8-3.8zm1.4 3.5c-0.6 0-1.1-0.5-1.1-1.1s0.5-1.1 1.1-1.1 1.1 0.5 1.1 1.1-0.5 1.1-1.1 1.1z"/></g><g fill="#d5d7d8"><path d="m37.3 31.8c-4.8 3.5-7 8.9-6.3 16.5 1.7 17.5 9.1 48.8 11.7 59.7l2.7 0.9c-1.6-6.6-9.3-38.8-12.7-63.5-0.9-6.6 1.7-10.5 4.6-13.6zm11.9-4.3c0.4 0 0.7-0.1 0.7-0.1-5.2-2.5-13.4-2.6-15.6-2.6-0.2 0.4-0.4 0.9-0.4 1.4-0.1 0.1 9.6-0.5 15.3 1.3zm-9.4-5.4c-1.6-1.1-2.9-1.8-3.7-2.2-0.7 0.1-1.3 0.1-2 0.2 0 0 2.3 0.7 4.9 2h-0.2z"/></g><path d="m80.1 88.6c-1.7-0.4-8.3 4.3-10.8 6.1-0.1-0.5-0.2-0.9-0.3-1.1-0.3-1-6.7-0.4-8.2 1.2-4-1.9-12-5.6-12.1-3.3-0.3 3 0 15.5 1.6 16.4 1.2 0.7 8-3 11.4-4.9h0.1c2.1 0.5 6 0 7.4-0.9 0.2-0.1 0.3-0.3 0.4-0.5 3.1 1.2 9.8 3.6 11.2 3.1 1.8-0.5 1.4-15.6-0.7-16.1z" fill="#67bd47"/><path d="m61.8 103c-2.1-0.4-1.4-2.5-1.4-7.4-0.5 0.3-0.9 0.7-0.9 1.1 0 4.9-0.8 7.1 1.4 7.4 2.1 0.5 6 0 7.6-0.9 0.3-0.2 0.4-0.5 0.5-1-1.5 0.9-5.2 1.3-7.2 0.8z" fill="#43a347"/></g></g><g fill="#4c4c4c" fill-rule="nonzero"><path d="m0 161.6v-24.6h8.9c8.5 0 12.4 6.2 12.4 12 0 6.3-3.8 12.6-12.4 12.6zm2.8-2.9h6.1c6.6 0 9.5-4.9 9.5-9.8 0-4.5-3-9.3-9.5-9.3h-6.1zm29.7 3.2c-4.6 0-7.5-3.1-7.5-8v-9.6h2.7v9.5c0 3.5 2 5.6 5.4 5.6 3.2 0 5.5-2.5 5.5-5.8v-9.3h2.7v17.3h-2.4l-0.2-3-0.4 0.5c-1.5 1.8-3.4 2.7-5.8 2.8zm21.7 0c-4.5 0-9-2.8-9-8.9 0-5.4 3.6-8.9 9-8.9 2.4 0 4.4 0.8 6.2 2.5l-1.7 1.7c-1.2-1.1-2.8-1.7-4.4-1.7-3.8 0-6.4 2.6-6.4 6.4 0 4.4 3.2 6.4 6.4 6.4 1.8 0 3.4-0.6 4.6-1.8l1.7 1.7c-1.8 1.7-4 2.6-6.4 2.6zm20.9-0.3-8.5-8.5v8.5h-2.6v-24.6h2.6v14.9l7.4-7.6h3.5l-8.2 8.1 9.2 9.1v0.1zm6.6 0v-24.6h8.9c8.5 0 12.4 6.2 12.4 12 0 6.3-3.8 12.6-12.4 12.6zm2.9-2.9h6.1c6.6 0 9.5-4.9 9.5-9.8 0-4.5-3-9.3-9.5-9.3h-6.1zm29.6 3.2c-4.6 0-7.5-3.1-7.5-8v-9.6h2.7v9.5c0 3.5 2 5.6 5.4 5.6 3.2 0 5.5-2.5 5.5-5.8v-9.3h2.7v17.3h-2.4l-0.1-3-0.4 0.5c-1.5 1.8-3.5 2.7-5.9 2.8zm21.7 0c-4.5 0-9-2.8-9-8.9 0-5.4 3.6-8.9 9-8.9 2.4 0 4.4 0.8 6.2 2.5l-1.7 1.7c-1.2-1.1-2.8-1.7-4.4-1.7-3.8 0-6.4 2.6-6.4 6.4 0 4.4 3.2 6.4 6.4 6.4 1.8 0 3.4-0.6 4.6-1.8l1.7 1.7-0.1 0.1c-1.7 1.7-3.8 2.5-6.3 2.5zm20.9-0.3-8.4-8.5v8.5h-2.6v-24.6h2.6v14.9l7.4-7.6h3.4l-8.1 8.1 9.1 9.1v0.1zm17.3 0.4c-9.5 0-12.8-6.8-12.8-12.5 0-3.8 1.3-7.1 3.6-9.5 2.3-2.3 5.5-3.5 9.2-3.5 3.4 0 6.5 1.3 8.9 3.6l-1.6 1.9c-1.9-1.8-4.7-2.9-7.3-2.9-6.9 0-10 5.4-10 10.4 0 4.9 3.1 9.9 10.1 9.9 2.5 0 4.9-0.9 6.8-2.5l0.1-0.1v-6.1h-7.7v-2.5h10.3v9.6c-2.7 2.9-5.8 4.2-9.6 4.2zm21.8-0.1c-5.2 0-8.9-3.7-8.9-8.9s3.8-9.1 8.9-9.1c5.3 0 9 3.7 9 9.1-0.1 5.1-3.8 8.9-9 8.9zm0-15.6c-3.7 0-6.3 2.7-6.3 6.6 0 3.7 2.6 6.4 6.3 6.4s6.3-2.6 6.4-6.4c-0.1-3.8-2.7-6.6-6.4-6.6z"/><path d="m206.4 162.2c0.2-0.1 0.3-0.2 0.3-0.4s-0.1-0.3-0.2-0.4-0.3-0.1-0.6-0.1-0.5 0-0.6 0.1v1.6h0.4v-0.7h0.2c0.2 0 0.3 0.1 0.3 0.3 0.1 0.2 0.1 0.3 0.1 0.4h0.4c0-0.1-0.1-0.2-0.1-0.4s-0.1-0.3-0.2-0.4zm-0.5-0.1h-0.2v-0.5h0.2c0.2 0 0.3 0.1 0.3 0.2 0.1 0.2 0 0.3-0.3 0.3z"/><path d="m206 160.5c-0.9 0-1.7 0.7-1.7 1.6s0.7 1.7 1.7 1.7c0.9 0 1.7-0.7 1.7-1.7 0-0.9-0.7-1.6-1.7-1.6zm0 3c-0.7 0-1.3-0.6-1.3-1.3s0.5-1.3 1.3-1.3c0.7 0 1.3 0.6 1.3 1.3s-0.6 1.3-1.3 1.3z"/></g></g></svg>
+<svg xmlns="http://www.w3.org/2000/svg" width="128" height="128" version="1.1" viewBox="0 0 33.867 33.867"><g transform="matrix(.28222 0 0 .28222 -18.909 -5.3622)"><circle cx="127" cy="79" r="60" fill="#de5833"/><path fill="#fff" d="m177.8 57.5c-2.8-6.6-6.8-12.5-11.8-17.5-5.1-5.1-11-9-17.5-11.8-6.8-2.9-14-4.3-21.5-4.3-7.4 0-14.7 1.5-21.5 4.3-6.6 2.7-12.5 6.7-17.5 11.8-5.1 5.1-9 11-11.8 17.5-2.9 6.8-4.3 14-4.3 21.5s1.5 14.7 4.3 21.5c2.8 6.6 6.8 12.5 11.8 17.5 5.1 5.1 11 9 17.5 11.8 6.8 2.9 14 4.3 21.5 4.3 7.4 0 14.7-1.5 21.5-4.3 6.5-2.8 12.4-6.8 17.5-11.8 5.1-5.1 9-11 11.8-17.5 2.9-6.8 4.3-14 4.3-21.5s-1.4-14.7-4.3-21.5zm-38.8 71c-3.2-5.4-11.6-20.5-11.6-31.7 0-25.8 17.3-3.7 17.3-24.3 0-4.9-2.4-22.1-17.4-25.7-3.7-4.9-12.4-9.6-26.2-7.7 0 0 2.3 0.7 4.9 2 0 0-5 0.7-5.2 4.1 0 0 9.9-0.5 15.5 1.3-12.9 1.7-19.5 8.5-18.3 20.8 1.7 17.5 9.1 48.7 11.7 59.6-19.6-7-33.7-25.8-33.7-47.9 0-28.1 22.8-51 51-51s51 22.8 51 51c-0.1 24-16.7 44.1-39 49.5z"/><path fill="#fed30a" fill-rule="evenodd" d="m124.2 87.3c0-6.6 9-8.7 12.4-8.7 9.2 0 22.2-5.9 25.4-5.8 3.3 0.1 5.4 1.4 5.4 2.9 0 2.2-18.4 10.5-25.5 9.8-6.8-0.6-8.4 0.1-8.4 2.9 0 2.4 4.9 4.6 10.3 4.6 8.1 0 16-3.6 18.4-1.9 2.1 1.5-5.5 6.9-14.2 6.9s-23.8-4.1-23.8-10.7z" clip-rule="evenodd"/><g fill="#2d4f8d"><path d="m140.2 59.3c-2.4-3.1-6.7-3.2-8.2 0.4 2.3-1.8 5.1-2.2 8.2-0.4zm-26.7 0.1c-3.3-2-8.8-2.2-8.5 4.1 1.6-3.9 3.8-4.6 8.5-4.1zm24.7 5.8c-1.8 0-3.3 1.5-3.3 3.3s1.5 3.3 3.3 3.3 3.3-1.5 3.3-3.3-1.5-3.3-3.3-3.3zm1.2 3.1c-0.5 0-1-0.4-1-1 0-0.5 0.4-1 1-1s1 0.4 1 1c-0.1 0.5-0.5 1-1 1zm-26.8-1.3c-2.1 0-3.8 1.7-3.8 3.8s1.7 3.8 3.8 3.8 3.8-1.7 3.8-3.8-1.7-3.8-3.8-3.8zm1.4 3.5c-0.6 0-1.1-0.5-1.1-1.1s0.5-1.1 1.1-1.1 1.1 0.5 1.1 1.1-0.5 1.1-1.1 1.1z"/></g><g fill="#d5d7d8"><path d="m104.3 50.8c-4.8 3.5-7 8.9-6.3 16.5 1.7 17.5 9.1 48.8 11.7 59.7l2.7 0.9c-1.6-6.6-9.3-38.8-12.7-63.5-0.9-6.6 1.7-10.5 4.6-13.6zm11.9-4.3c0.4 0 0.7-0.1 0.7-0.1-5.2-2.5-13.4-2.6-15.6-2.6-0.2 0.4-0.4 0.9-0.4 1.4-0.1 0.1 9.6-0.5 15.3 1.3zm-9.4-5.4c-1.6-1.1-2.9-1.8-3.7-2.2-0.7 0.1-1.3 0.1-2 0.2 0 0 2.3 0.7 4.9 2h-0.2z"/></g><path fill="#67bd47" d="m147.1 107.6c-1.7-0.4-8.3 4.3-10.8 6.1-0.1-0.5-0.2-0.9-0.3-1.1-0.3-1-6.7-0.4-8.2 1.2-4-1.9-12-5.6-12.1-3.3-0.3 3 0 15.5 1.6 16.4 1.2 0.7 8-3 11.4-4.9h0.1c2.1 0.5 6 0 7.4-0.9 0.2-0.1 0.3-0.3 0.4-0.5 3.1 1.2 9.8 3.6 11.2 3.1 1.8-0.5 1.4-15.6-0.7-16.1z"/><path fill="#43a347" d="m128.8 122c-2.1-0.4-1.4-2.5-1.4-7.4-0.5 0.3-0.9 0.7-0.9 1.1 0 4.9-0.8 7.1 1.4 7.4 2.1 0.5 6 0 7.6-0.9 0.3-0.2 0.4-0.5 0.5-1-1.5 0.9-5.2 1.3-7.2 0.8z"/></g></svg>

docs/assets/img/search-engines/mini/duckduckgo.svg

@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" width="128" height="128" version="1.1" viewBox="0 0 33.867 33.867"><g transform="matrix(.28222 0 0 .28222 -18.909 -5.3622)"><circle cx="127" cy="79" r="60" fill="#de5833"/><path fill="#fff" d="m177.8 57.5c-2.8-6.6-6.8-12.5-11.8-17.5-5.1-5.1-11-9-17.5-11.8-6.8-2.9-14-4.3-21.5-4.3-7.4 0-14.7 1.5-21.5 4.3-6.6 2.7-12.5 6.7-17.5 11.8-5.1 5.1-9 11-11.8 17.5-2.9 6.8-4.3 14-4.3 21.5s1.5 14.7 4.3 21.5c2.8 6.6 6.8 12.5 11.8 17.5 5.1 5.1 11 9 17.5 11.8 6.8 2.9 14 4.3 21.5 4.3 7.4 0 14.7-1.5 21.5-4.3 6.5-2.8 12.4-6.8 17.5-11.8 5.1-5.1 9-11 11.8-17.5 2.9-6.8 4.3-14 4.3-21.5s-1.4-14.7-4.3-21.5zm-38.8 71c-3.2-5.4-11.6-20.5-11.6-31.7 0-25.8 17.3-3.7 17.3-24.3 0-4.9-2.4-22.1-17.4-25.7-3.7-4.9-12.4-9.6-26.2-7.7 0 0 2.3 0.7 4.9 2 0 0-5 0.7-5.2 4.1 0 0 9.9-0.5 15.5 1.3-12.9 1.7-19.5 8.5-18.3 20.8 1.7 17.5 9.1 48.7 11.7 59.6-19.6-7-33.7-25.8-33.7-47.9 0-28.1 22.8-51 51-51s51 22.8 51 51c-0.1 24-16.7 44.1-39 49.5z"/><path fill="#fed30a" fill-rule="evenodd" d="m124.2 87.3c0-6.6 9-8.7 12.4-8.7 9.2 0 22.2-5.9 25.4-5.8 3.3 0.1 5.4 1.4 5.4 2.9 0 2.2-18.4 10.5-25.5 9.8-6.8-0.6-8.4 0.1-8.4 2.9 0 2.4 4.9 4.6 10.3 4.6 8.1 0 16-3.6 18.4-1.9 2.1 1.5-5.5 6.9-14.2 6.9s-23.8-4.1-23.8-10.7z" clip-rule="evenodd"/><g fill="#2d4f8d"><path d="m140.2 59.3c-2.4-3.1-6.7-3.2-8.2 0.4 2.3-1.8 5.1-2.2 8.2-0.4zm-26.7 0.1c-3.3-2-8.8-2.2-8.5 4.1 1.6-3.9 3.8-4.6 8.5-4.1zm24.7 5.8c-1.8 0-3.3 1.5-3.3 3.3s1.5 3.3 3.3 3.3 3.3-1.5 3.3-3.3-1.5-3.3-3.3-3.3zm1.2 3.1c-0.5 0-1-0.4-1-1 0-0.5 0.4-1 1-1s1 0.4 1 1c-0.1 0.5-0.5 1-1 1zm-26.8-1.3c-2.1 0-3.8 1.7-3.8 3.8s1.7 3.8 3.8 3.8 3.8-1.7 3.8-3.8-1.7-3.8-3.8-3.8zm1.4 3.5c-0.6 0-1.1-0.5-1.1-1.1s0.5-1.1 1.1-1.1 1.1 0.5 1.1 1.1-0.5 1.1-1.1 1.1z"/></g><g fill="#d5d7d8"><path d="m104.3 50.8c-4.8 3.5-7 8.9-6.3 16.5 1.7 17.5 9.1 48.8 11.7 59.7l2.7 0.9c-1.6-6.6-9.3-38.8-12.7-63.5-0.9-6.6 1.7-10.5 4.6-13.6zm11.9-4.3c0.4 0 0.7-0.1 0.7-0.1-5.2-2.5-13.4-2.6-15.6-2.6-0.2 0.4-0.4 0.9-0.4 1.4-0.1 0.1 9.6-0.5 15.3 1.3zm-9.4-5.4c-1.6-1.1-2.9-1.8-3.7-2.2-0.7 0.1-1.3 0.1-2 0.2 0 0 2.3 0.7 4.9 2h-0.2z"/></g><path fill="#67bd47" d="m147.1 107.6c-1.7-0.4-8.3 4.3-10.8 6.1-0.1-0.5-0.2-0.9-0.3-1.1-0.3-1-6.7-0.4-8.2 1.2-4-1.9-12-5.6-12.1-3.3-0.3 3 0 15.5 1.6 16.4 1.2 0.7 8-3 11.4-4.9h0.1c2.1 0.5 6 0 7.4-0.9 0.2-0.1 0.3-0.3 0.4-0.5 3.1 1.2 9.8 3.6 11.2 3.1 1.8-0.5 1.4-15.6-0.7-16.1z"/><path fill="#43a347" d="m128.8 122c-2.1-0.4-1.4-2.5-1.4-7.4-0.5 0.3-0.9 0.7-0.9 1.1 0 4.9-0.8 7.1 1.4 7.4 2.1 0.5 6 0 7.6-0.9 0.3-0.2 0.4-0.5 0.5-1-1.5 0.9-5.2 1.3-7.2 0.8z"/></g></svg>

docs/assets/img/search-engines/mini/searxng-wordmark.svg

@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" width="128" height="128" version="1.1" viewBox="0 0 33.867 33.867"><g transform="matrix(.36928 0 0 .36928 -15.111 -6.7595)"><circle cx="75" cy="92" r="0" style="fill:none;stroke-width:12;stroke:#000"/><circle cx="75.921" cy="53.903" r="30" style="fill:none;stroke-width:10;stroke:#3050ff"/><path d="m67.515 37.915a18 18 0 0 1 21.051 3.3124 18 18 0 0 1 3.1373 21.078" style="fill:none;stroke-width:5;stroke:#3050ff"/><rect width="18.846" height="39.963" x="3.706" y="122.09" ry="0" transform="rotate(-46.235)" style="fill:#3050ff"/></g></svg>

docs/assets/img/search-engines/mini/startpage-dark.svg

@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 109 122"><g fill="none" fill-rule="nonzero"><path fill="#6573FF" d="M19.61 43.202c.468-12.964 10.896-23.35 23.862-23.767 12.966-.417 24.04 9.28 25.338 22.187 6.56.067 13.113.247 19.66.54C87.332 18.182 67.285-.518 43.284.011 19.284.54.08 20.106 0 44.112v.89a577.397 577.397 0 0 1 19.61-1.8Z"/><path fill="#E5E8FF" d="m78.68 71.932.2-.25a43.63 43.63 0 0 0 9.27-21.83c-6.667-.04-13.333.037-20 .23a24.68 24.68 0 0 1-46.8 3.29c-6.6.74-13.193 1.594-19.78 2.56 5.337 19.169 22.792 32.433 42.69 32.44A43.8 43.8 0 0 0 63 84.202l.28-.13.2.24 27.52 33.3a9.76 9.76 0 0 0 7.55 3.55 9.88 9.88 0 0 0 6.24-2.24c4.159-3.453 4.74-9.62 1.3-13.79l-27.41-33.2Z"/></g></svg>

docs/assets/img/search-engines/mini/startpage.svg

@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 109 122"><g fill="none" fill-rule="nonzero"><path fill="#6573FF" d="M19.61 43.202c.468-12.964 10.896-23.35 23.862-23.767 12.966-.417 24.04 9.28 25.338 22.187 6.56.067 13.113.247 19.66.54C87.332 18.182 67.285-.518 43.284.011 19.284.54.08 20.106 0 44.112v.89a577.397 577.397 0 0 1 19.61-1.8Z"/><path fill="#212649" d="m78.68 71.932.2-.25a43.63 43.63 0 0 0 9.27-21.83c-6.667-.04-13.333.037-20 .23a24.68 24.68 0 0 1-46.8 3.29c-6.6.74-13.193 1.594-19.78 2.56 5.337 19.169 22.792 32.433 42.69 32.44A43.8 43.8 0 0 0 63 84.202l.28-.13.2.24 27.52 33.3a9.76 9.76 0 0 0 7.55 3.55 9.88 9.88 0 0 0 6.24-2.24c4.159-3.453 4.74-9.62 1.3-13.79l-27.41-33.2Z"/></g></svg>

docs/assets/img/vpn/mini/mullvad.svg

@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 77 77"><g fill="none" fill-rule="nonzero"><path fill="#192E45" d="M0 38.274c0 21.152 17.152 38.274 38.274 38.274s38.274-17.122 38.274-38.274S59.426 0 38.274 0 0 17.122 0 38.274Z"/><path fill="#D0933A" d="m5.121 33.698 2.91-4.06-.182 5.848.818-4.394c2.424 4.91 8.364 11.697 13.788 15.334.576.394 1.061.818 1.394 1.242.697.273 1.394.425 2.091.546.364.06.758.09 1.122.121.363.03.757.03 1.12.03.365 0 .728-.03 1.092-.06.363-.03.727-.091 1.09-.152.364-.06.728-.12 1.061-.242.364-.091.697-.182 1.061-.303.333-.091.697-.243 1.03-.364.334-.151.667-.273 1-.454.334-.182.667-.334.97-.516.334-.151.637-.363.97-.545.333-.182.636-.394.97-.576.333-.182.636-.394.94-.576.302-.212.635-.394.938-.606.304-.212.637-.394.97-.606l.303-.182.152.091 2.182 1.455-2.213-.576c-.212.243-.424.485-.666.727-.273.273-.576.546-.849.819-.303.242-.606.515-.94.727-.333.242-.636.455-1 .667-.666.424-1.393.788-2.15 1.09-.364.152-.758.304-1.122.425-.394.121-.758.242-1.152.333-.394.091-.788.182-1.181.243-.394.06-.788.09-1.182.151-.788.03-1.606.03-2.394-.09-.394-.061-.788-.122-1.182-.213-.394-.09-.758-.212-1.121-.333a10.463 10.463 0 0 1-1.849-.91s-2.091.304-1.242 1.88c.848 1.575 2.12 1.424 1.515 3.272-.425 1-1.03 1.97-1.697 2.88-1.394 1.878-3.576 3.545-3.364 4.545 9.91 12.212 32.244 10.515 40.729-.394-.122-1.576-2.606-2.334-4.334-6.182.485.151 1.212.364 1.212.333 0-.03-2.06-3.364-2.151-3.697l1.333.091s-1.757-2.182-1.818-2.394l1.788-.242s-2.243-2.576-2.273-2.788l2.273.363-2.485-3h1.182l-1.394-2.03c-.243-.091-.485-.152-.728-.212l-.909-.273c-3.394-1.06-6.606-2.03-9.697-3.97-4.333-2.697-8.212-6-11.122-8.576l-5.848-2.849c-5.607-.424-10.88-.272-14.092.364l2.061-3.515-3.152 3.788c-.212-.06-.272-.182-.272-.182l.212-4.667-1 4.212c-.303-.151-.667-.212-1.03-.212A2.509 2.509 0 0 0 5.09 26.85c0 1.273.94 2.334 2.182 2.485l-2.152 4.364Z"/><path fill="#FFCC86" d="M8.637 24.486a2.813 2.813 0 0 0-1-.212 2.509 2.509 0 0 0-2.516 2.515c0 1.212.88 2.242 2.03 2.485h.061c.758-.243 2.273-2.273 2.03-3.546a2.807 2.807 0 0 0-.605-1.242Z"/><path fill="#FDD321" d="M30.728 21.243c-.454-1.242-.333-2.848.303-4.364.91-2.09 2.637-3.485 4.273-3.485.334 0 .637.061.94.182.94-.848 2.03-1.545 3.242-2.03 6.698-2.667 16.486 2.09 19.001 8.667 1.212 3.182.849 6.667-.182 9.849-.848 2.606-3.94 6.364-2.788 9.212-.454-.121-10.03-3.09-12.697-4.788-4.273-2.667-8.122-5.94-11-8.485l-.092-.091-9.727-4.606a3.306 3.306 0 0 1-.334-.182c1.394 0 6.698.636 9.061.121"/><path fill="#FFF" d="M33.607 22.334a1.58 1.58 0 0 1-.697-.151c-.485-.212-.848-.606-1.09-1.213-.425-1.03-.304-2.454.272-3.788.758-1.727 2.182-2.939 3.485-2.939.243 0 .485.06.727.151.637.273 1.091.91 1.243 1.819.182.97.03 2.09-.455 3.151-.757 1.728-2.212 2.97-3.485 2.97Z"/><path fill="#192E45" d="M35.547 14.728c.182 0 .363.03.545.121.485.212.849.758.97 1.485.151.879.03 1.91-.424 2.879-.667 1.545-1.97 2.667-3.061 2.667-.182 0-.364-.03-.515-.091-.455-.182-.697-.606-.818-.94-.364-.909-.273-2.242.242-3.454.697-1.546 1.97-2.667 3.06-2.667m0-.91c-1.454 0-3.06 1.334-3.908 3.243-.637 1.425-.728 2.97-.273 4.152.273.697.727 1.182 1.303 1.455.273.12.576.181.909.181 1.455 0 3.06-1.333 3.879-3.242.515-1.152.667-2.364.485-3.425-.182-1.06-.728-1.818-1.515-2.151-.243-.152-.546-.212-.88-.212Z"/></g></svg>

docs/basics/account-deletion.en.md

@@ -22,7 +22,7 @@ Desktop platforms also often have a password manager which may help you recover
 - Windows [Credential Manager](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0)
 - macOS [Passwords](https://support.apple.com/en-us/HT211145)
 - iOS [Passwords](https://support.apple.com/en-us/HT211146)
-- Linux, Gnome Keyring, which can be accessed through [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.en), or [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager)
+- Linux, Gnome Keyring, which can be accessed through [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.en) or [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager)
 
 ### Email
 
@@ -34,11 +34,11 @@ If you didn't use a password manager in the past or you think you have accounts
 
 In order to delete your old accounts, you'll need to first make sure you can log in to them. Again, if the account was in your password manager, this step is easy. If not, you can try to guess your password. Failing that, there are typically options to regain access to your account, commonly available through a "forgot password" link on the login page. It may also be possible that accounts you've abandoned have already been deleted—sometimes services prune all old accounts.
 
-When attempting to regain access, if the site returns an error message saying that email is not associated with an account, or you never receive a reset link after multiple attempts, then you do not have an account under that email address and should try a different one. If you can't figure out which email address you used, or you no longer have access to that email, you can try contacting the service's customer support. Unfortunately there is no guarantee that you will be able to reclaim access your account.
+When attempting to regain access, if the site returns an error message saying that email is not associated with an account, or you never receive a reset link after multiple attempts, then you do not have an account under that email address and should try a different one. If you can't figure out which email address you used, or you no longer have access to that email, you can try contacting the service's customer support. Unfortunately, there is no guarantee that you will be able to reclaim access your account.
 
 ### GDPR (EEA residents only)
 
-Residents of the EEA have additional rights regarding data erasure specified in [Article 17](https://www.gdpr.org/regulation/article-17.html) of the GDPR. If it's applicable to you, read the privacy policy for any given service to find information on how to exercise your right to erasure. Reading the privacy policy can prove important, as some services have a "Delete Account" option that only disables your account and for real deletion you have to take additional action. Sometimes actual deletion may involve filling out surveys, emailing the data protection officer of the service, or even proving your residence in the EEA. If you plan to go this way, do **not** overwrite account information—your identity as an EEA resident may be required. Note that the location of the service does not matter; GDPR applies to anyone serving European users. If the service does not respect your right to erasure, you can contact your national [Data Protection Authority](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) and you may be entitled to monetary compensation.
+Residents of the EEA have additional rights regarding data erasure specified in [Article 17](https://www.gdpr.org/regulation/article-17.html) of the GDPR. If it's applicable to you, read the privacy policy for any given service to find information on how to exercise your right to erasure. Reading the privacy policy can prove important, as some services have a "Delete Account" option that only disables your account and for real deletion you have to take additional action. Sometimes actual deletion may involve filling out surveys, emailing the data protection officer of the service or even proving your residence in the EEA. If you plan to go this way, do **not** overwrite account information—your identity as an EEA resident may be required. Note that the location of the service does not matter; GDPR applies to anyone serving European users. If the service does not respect your right to erasure, you can contact your national [Data Protection Authority](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) and you may be entitled to monetary compensation.
 
 ### Overwriting Account information
 
@@ -50,7 +50,7 @@ For the account email, either create a new alternate email account via your prov
 
 You can check [JustDeleteMe](https://justdeleteme.xyz) for instructions on deleting the account for a specific service. Some sites will graciously have a "Delete Account" option, while others will go as far as to force you to speak with a support agent. The deletion process can vary from site to site, with account deletion being impossible on some.
 
-For services that don't allow account deletion, the best thing to do is falsify all your information as previously mentioned and strengthen account security. To do so, enable [MFA](basics/multi-factor-authentication) and any extra security features offered. As well, change the password to a randomly-generated one that is the maximum allowed size (a [password manager](/passwords/#local-password-managers) can be useful for this).
+For services that don't allow account deletion, the best thing to do is falsify all your information as previously mentioned and strengthen account security. To do so, enable [MFA](multi-factor-authentication.md) and any extra security features offered. As well, change the password to a randomly-generated one that is the maximum allowed size (a [password manager](/passwords/#local-password-managers) can be useful for this).
 
 If you're satisfied that all information you care about is removed, you can safely forget about this account. If not, it might be a good idea to keep the credentials stored with your other passwords and occasionally re-login to reset the password.
 
@@ -58,6 +58,6 @@ Even when you are able to delete an account, there is no guarantee that all your
 
 ## Avoid New Accounts
 
-As the old saying goes, "an ounce of prevention is worth a pound of cure." Whenever you feel tempted to sign up for a new account, ask yourself "Do I really need this? Can I accomplish what I need to without an account?" It can often be much harder to delete an account than to create one. And even after deleting or changing the info on your account, there might be a cached version from a third party—like the [Internet Archive](https://archive.org/). Avoid the temptation when you're able to—your future self will thank you!
+As the old saying goes, "an ounce of prevention is worth a pound of cure." Whenever you feel tempted to sign up for a new account, ask yourself, "Do I really need this? Can I accomplish what I need to without an account?" It can often be much harder to delete an account than to create one. And even after deleting or changing the info on your account, there might be a cached version from a third-party—like the [Internet Archive](https://archive.org/). Avoid the temptation when you're able to—your future self will thank you!
 
 --8<-- "includes/abbreviations.en.md"

docs/basics/common-threats.en.md

@@ -28,7 +28,7 @@ Whistleblowers and journalists, for example, can have a much more extreme threat
 
 <span class="pg-orange">:material-bug-outline: Passive Attacks</span>
 
-Security and privacy are often conflated, because you need security to obtain any semblance of privacy: Using tools which appear private is futile if they could easily be exploited by attackers to release your data later. However, the inverse is not necessarily true; the most secure service in the world *isn't necessarily* private. The best example of this is trusting data to Google, who, given their scale, have had minimal security incidents by employing industry-leading security experts to secure their infrastructure. Even though Google provides a very secure service, very few would consider their data private in Google's free consumer products (Gmail, YouTube etc).
+Security and privacy are often conflated, because you need security to obtain any semblance of privacy: Using tools which appear private is futile if they could easily be exploited by attackers to release your data later. However, the inverse is not necessarily true; the most secure service in the world *isn't necessarily* private. The best example of this is trusting data to Google, who, given their scale, have had minimal security incidents by employing industry-leading security experts to secure their infrastructure. Even though Google provides a very secure service, very few would consider their data private in Google's free consumer products (Gmail, YouTube, etc).
 
 When it comes to application security, we generally do not (and sometimes cannot) know if the software that we use is malicious, or might one day become malicious. Even with the most trustworthy developers, there is generally no guarantee that their software does not have a serious vulnerability that could later be exploited.
 
@@ -38,7 +38,7 @@ To minimize the potential damage that a malicious piece of software can do, you
 
     Mobile operating systems are generally safer than desktop operating systems when it comes to application sandboxing. Apps cannot obtain root access and only have access to system resources which you grant them.
 
-    Desktop operating systems generally lag behind on proper sandboxing. Chrome OS has similar sandboxing properties to Android, and macOS has full system permission control and opt-in (for developers) sandboxing for applications, however these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make heavy use of virtual machines or containers, such as Qubes OS.
+    Desktop operating systems generally lag behind on proper sandboxing. ChromeOS has similar sandboxing properties to Android, and macOS has full system permission control and opt-in (for developers) sandboxing for applications, however these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make heavy use of virtual machines or containers, such as Qubes OS.
 
 <span class="pg-red">:material-target-account: Targeted Attacks</span>
 
@@ -82,11 +82,11 @@ Online, you can be tracked via a wide variety of methods, including but not limi
 - Your browser or device fingerprint
 - Payment method correlation
 
-Therefore your goals could be to segregate your online identities from each other, to blend in with other users, and to simply avoid giving out identifying information to anyone as much as possible.
+Therefore, your goals could be to segregate your online identities from each other, to blend in with other users, and to simply avoid giving out identifying information to anyone as much as possible.
 
 <span class="pg-blue">:material-eye-outline: Mass Surveillance</span>
 
-Governments often cite mass surveillance programs as necessary to combat terrorism and prevent crime, however it is most often used to disproportionately target minorities, political dissidents, and many other groups to create a chilling effect on free speech.
+Governments often cite mass surveillance programs as necessary to combat terrorism and prevent crime, however it is most often used to disproportionately target minorities, political dissidents and many other groups to create a chilling effect on free speech.
 
 !!! quote "ACLU: [The Privacy Lesson of 9/11: Mass Surveillance is Not the Way Forward](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)"
 
@@ -130,19 +130,19 @@ People concerned with the threat of censorship can use technologies like Tor to
 
     You should consider what aspects of the network your adversary can observe, and whether you have plausible deniability for your actions. For example, using encrypted DNS can help you bypass rudimentary censorship systems based solely on DNS, but it cannot truly hide what you are visiting from your ISP. A VPN or Tor can help hide what you are visiting from the network administrators, but cannot hide that you are using those networks. Pluggable transports like Obfs4proxy, Meek or Shadowsocks can help you evade firewalls that block common VPN protocols or Tor, but an adversary can still figure out that you are actively trying to bypass their censorship system as opposed to just protecting your privacy through probing or deep packet inspection.
 
-You must always consider the risks involved with trying to bypass censorship, what the potential consequences are, and how sophisticated your adversary may be. Be extra cautious with your software selection, and have a backup plan in case you are caught.
+You must always consider the risks involved with trying to bypass censorship, what the potential consequences are, and how sophisticated your adversary may be. Be extra cautious with your software selection and have a backup plan in case you are caught.
 
 ## Common Misconceptions
 
-:material-numeric-1-circle: **Open source software is always secure** or **Proprietary software is more secure**
+:material-numeric-1-circle: **Open-source software is always secure** or **Proprietary software is more secure**
 
 These myths stem from a number of prejudices, but the source-availability and licensure of a software product does not inherently affect its security in any way. ==Open-source software has the *potential* to be more secure than proprietary software, but there is absolutely no guarantee this is the case.== When you evaluate software, you need to look at the reputation and security of each tool on an individual basis.
 
-Open-source software *can* be audited by third-parties, and is often more transparent regarding potential vulnerabilities than their proprietary counterparts. They can also be more flexible, allowing you to delve into the code and disable any suspicious functionality you find yourself. However, unless you review the code yourself there is no guarantee that code has ever been evaluated, especially with smaller software projects, and the open development process can sometimes be exploited by malicious parties to introduce new vulnerabilities into even large projects.[^4]
+Open-source software *can* be audited by third-parties and is often more transparent regarding potential vulnerabilities than their proprietary counterparts. They can also be more flexible, allowing you to delve into the code and disable any suspicious functionality you find yourself. However, unless you review the code yourself there is no guarantee that code has ever been evaluated, especially with smaller software projects, and the open development process can sometimes be exploited by malicious parties to introduce new vulnerabilities into even large projects.[^4]
 
 On the flip side, proprietary software is less transparent, but that does not imply it is not secure. Major proprietary software projects can be audited internally and by third-party agencies, and independent security researchers can still find vulnerabilities with techniques like reverse engineering.
 
-At the end of the day, it is **vital** that you research and evaluate the privacy and security properties of each piece of software being used, and avoid making decisions based on biases.
+At the end of the day, it is **vital** that you research and evaluate the privacy and security properties of each piece of software being used and avoid making decisions based on biases.
 
 :material-numeric-2-circle: **Shifting trust can increase privacy**
 
@@ -153,7 +153,7 @@ We talk about "shifting trust" a lot when discussing solutions like VPNs, which
 
 :material-numeric-3-circle: **Privacy-focused solutions are inherently trustworthy**
 
-Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a privacy solution you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is a lack of end-to-end encryption, so you should make sure the provider you switch to actually implements end-to-end encryption, or use a tool like Cryptomator which provides end-to-end encryption on any cloud provider. Blindly switching to a "privacy-focused" provider which does not provide end-to-end encryption does not solve your problem, it merely shifts trust from Google to that provider.
+Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a privacy solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem, in this case, is a lack of end-to-end encryption, so you should make sure the provider you switch to actually implements end-to-end encryption or use a tool like Cryptomator which provides end-to-end encryption on any cloud provider. Blindly switching to a "privacy-focused" provider which does not provide end-to-end encryption does not solve your problem, it merely shifts trust from Google to that provider.
 
 The privacy policies and business practices of a provider you choose are very important, but should be considered secondary to technical guarantees of your privacy: Don't elect to merely shift trust to another provider when trusting a provider isn't a requirement at all.
 
@@ -179,13 +179,13 @@ One of the clearest threat models is one where people *know who you are* and one
 
         When shopping online, the use of a [parcel locker](https://en.wikipedia.org/wiki/Parcel_locker) can help keep your physical address private.
 
-2. **Unknown identity** - An unknown identity could be a stable pseudonym that you regularly use. It is not anonymous because it doesn't change. If you're a part of an online community you may wish to retain persona that others know. The reason this is not anonymous is because if monitored over a period of time details about the owner may reveal further information, such as the way they write (lingustics), general knowledge about topics of interest etc.
+2. **Unknown identity** - An unknown identity could be a stable pseudonym that you regularly use. It is not anonymous because it doesn't change. If you're a part of an online community, you may wish to retain a persona that others know. The reason this is not anonymous is that if monitored over a period of time details about the owner may reveal further information, such as the way they write (linguistics), general knowledge about topics of interest, etc.
 
     You may wish to use a VPN for this to mask your IP address. Financial transactions are more difficult and for this we'd suggest using anonymous cryptocurrencies such as Monero. Employing alt-coin shifting may also help disguise where your currency originated. Typically exchanges require KYC (know your customer) to be completed before they will allow you to exchange fiat currency into any kind of cryptocurrency. Local meet-up options may also be a solution, however those often are more expensive and sometimes also require KYC.
 
 3. **Anonymous identity** - Anonymous identities are difficult to maintain over long periods of time for even the most experienced. They should be short-term and short lived identities which are rotated regularly.
 
-    Using Tor can help with this, it's also worth noting greater anonymity is possible through asynchronous (not real time communication). Real time communication is vulnerable to typing analysis patterns more than a slab of text distributed on a forum, email) etc that you've had time to think about, maybe even put through a translator and back again.
+    Using Tor can help with this, it's also worth noting greater anonymity is possible through asynchronous (not real-time communication). Real-time communication is vulnerable to typing analysis patterns (more than a slab of text distributed on a forum, email, etc) that you've had time to think about, maybe even put through a translator and back again.
 
 [^1]: United States Privacy and Civil Liberties Oversight Board: [Report on the Telephone Records Program Conducted under Section 215](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf)
 [^2]: Wikipedia: [Surveillance capitalism](https://en.wikipedia.org/wiki/Surveillance_capitalism)

docs/basics/dns-overview.en.md

@@ -79,7 +79,7 @@ Encrypted DNS can refer to one of a number of protocols, the most common ones be
 
 [**DNS over HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) as defined in [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) packages queries in the [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) protocol and provides security with HTTPS. Support was first added in web browsers such as Firefox 60 and Chrome 83.
 
-Native implementation of DoH showed up in iOS 14, macOS 11, Microsoft Windows, and Android 13 (however it won't be enabled [by default](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). General Linux desktop support is waiting on the systemd [implementation](https://github.com/systemd/systemd/issues/8639) so [installing third party software is still required](../dns.md#linux).
+Native implementation of DoH showed up in iOS 14, macOS 11, Microsoft Windows, and Android 13 (however, it won't be enabled [by default](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). General Linux desktop support is waiting on the systemd [implementation](https://github.com/systemd/systemd/issues/8639) so [installing third-party software is still required](../dns.md#linux).
 
 ## What can an outside party see?
 
@@ -117,7 +117,7 @@ When we do a DNS lookup, it's generally because we want to access a resource. Be
 
 The simplest way to determine browsing activity might be to look at the IP addresses your devices are accessing. For example, if the observer knows that `privacyguides.org` is at `198.98.54.105`, and your device is requesting data from `198.98.54.105`, there is a good chance you're visiting Privacy Guides.
 
-This method is only useful when the IP address belongs to a server that only hosts few websites. It's also not very useful if the site is hosted on a shared platform, (e.g. Github Pages, Cloudflare Pages, Netlify, WordPress, Blogger, etc). It also isn't very useful if the server is hosted behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy), which is very common on the modern Internet.
+This method is only useful when the IP address belongs to a server that only hosts few websites. It's also not very useful if the site is hosted on a shared platform (e.g. Github Pages, Cloudflare Pages, Netlify, WordPress, Blogger, etc). It also isn't very useful if the server is hosted behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy), which is very common on the modern Internet.
 
 ### Server Name Indication (SNI)
 
@@ -163,7 +163,7 @@ Governments, in particular [China](https://www.zdnet.com/article/china-is-now-bl
 
 ### Online Certificate Status Protocol (OCSP)
 
-Another way your browser can disclose your browsing activities is with the [Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). When visiting a HTTPS website, the browser might check to see if the website's [certificate](https://en.wikipedia.org/wiki/Public_key_certificate) has been revoked. This is generally done through the HTTP protocol, meaning it is **not** encrypted.
+Another way your browser can disclose your browsing activities is with the [Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). When visiting an HTTPS website, the browser might check to see if the website's [certificate](https://en.wikipedia.org/wiki/Public_key_certificate) has been revoked. This is generally done through the HTTP protocol, meaning it is **not** encrypted.
 
 The OCSP request contains the certificate "[serial number](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", which is unique. It is sent to the "OCSP responder" in order to check its status.
 
@@ -224,7 +224,7 @@ We can simulate what a browser would do using the [`openssl`](https://en.wikiped
     wireshark -r /tmp/pg_ocsp.pcap
     ```
 
-    There will be two packets with the "OCSP" protocol; a "Request" and a "Response". For the "Request" we can see the "serial number" by expanding the triangle ▸ next to each field:
+    There will be two packets with the "OCSP" protocol: a "Request" and a "Response". For the "Request" we can see the "serial number" by expanding the triangle ▸ next to each field:
 
     ```bash
     ▸ Online Certificate Status Protocol
@@ -275,7 +275,7 @@ graph TB
     ispDNS --> | No | nothing(Do nothing)
 ```
 
-Encrypted DNS with a 3rd party should only be used to get around redirects and basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences or you're interested in a provider that does some rudimentary filtering.
+Encrypted DNS with a third-party should only be used to get around redirects and basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences or you're interested in a provider that does some rudimentary filtering.
 
 [List of recommended DNS servers](../dns.md){ .md-button }
 

docs/basics/email-security.en.md

@@ -17,17 +17,17 @@ Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipe
 
 ### What Email Clients Support E2EE?
 
-Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). This can be less secure as you are now relying on email providers to ensure that their encryption implementation works and has not been compromised in anyway.
+Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multi-factor authentication](/basics/multi-factor-authentication/) is not possible with plain password authentication.
 
 ### How Do I Protect My Private Keys?
 
-A smartcard (such as a [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) or [Nitrokey](https://www.nitrokey.com)) works by receiving an encrypted email message from a device (phone, tablet, computer etc) running an email/webmail client. The message is then decrypted by the smartcard and the decrypted content is sent back to the device.
+A smartcard (such as a [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) or [Nitrokey](https://www.nitrokey.com)) works by receiving an encrypted email message from a device (phone, tablet, computer, etc) running an email/webmail client. The message is then decrypted by the smartcard and the decrypted content is sent back to the device.
 
 It is advantageous for the decryption to occur on the smartcard so as to avoid possibly exposing your private key to a compromised device.
 
 ## Email Metadata Overview
 
-Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message, and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account.
+Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account.
 
 Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent.
 

docs/basics/multi-factor-authentication.en.md

@@ -6,7 +6,7 @@ icon: 'material/two-factor-authentication'
 
 Normally, if a hacker (or adversary) is able to figure out your password then they’d gain access to the account that password belongs to. An account with MFA forces the hacker to have both the password (something you *know*) and a device that you own (something you *have*), like your phone.
 
-MFA methods vary in security, but are based on the premise that the more difficult it is for an attacker to gain access to your MFA method, the better. Examples of MFA methods (from weakest to strongest) include SMS, Email codes, app push notifications, TOTP, Yubico OTP, and FIDO.
+MFA methods vary in security, but are based on the premise that the more difficult it is for an attacker to gain access to your MFA method, the better. Examples of MFA methods (from weakest to strongest) include SMS, Email codes, app push notifications, TOTP, Yubico OTP and FIDO.
 
 ## MFA Method Comparison
 
@@ -24,13 +24,13 @@ The security of push notification MFA is dependent on both the quality of the ap
 
 ### Time-based One-time Password (TOTP)
 
-TOTP is one of the most common forms of MFA available. When you set up TOTP you are generally required to scan a [QR Code](https://en.wikipedia.org/wiki/QR_code) which establishes a "[shared secret](https://en.wikipedia.org/wiki/Shared_secret)" with the service that you intend to use. The shared secret is secured inside of the authenticator app's data, and is sometimes protected by a password.
+TOTP is one of the most common forms of MFA available. When you set up TOTP, you are generally required to scan a [QR Code](https://en.wikipedia.org/wiki/QR_code) which establishes a "[shared secret](https://en.wikipedia.org/wiki/Shared_secret)" with the service that you intend to use. The shared secret is secured inside of the authenticator app's data, and is sometimes protected by a password.
 
-The time-limited code is then derived from the shared secret and the current time. As the code is only valid for a short time, without access to the shared secret an adversary cannot generate new codes.
+The time-limited code is then derived from the shared secret and the current time. As the code is only valid for a short time, without access to the shared secret, an adversary cannot generate new codes.
 
 If you have a hardware security key with TOTP support (such as a YubiKey with [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)), we recommend that you store your "shared secrets" on the hardware. Hardware such as the YubiKey was developed with the intention of making the "shared secret" difficult to extract and copy. A YubiKey is also not connected to the Internet, unlike a phone with a TOTP app.
 
-Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against [phishing](https://en.wikipedia.org/wiki/Phishing) or reuse attacks. If an adversary obtains a valid code from you they may use it as many times as they like until it expires (generally 60 seconds).
+Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against [phishing](https://en.wikipedia.org/wiki/Phishing) or reuse attacks. If an adversary obtains a valid code from you, they may use it as many times as they like until it expires (generally 60 seconds).
 
 An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account.
 
@@ -38,7 +38,7 @@ Although not perfect, TOTP is secure enough for most people, and when [hardware
 
 ### Hardware security keys
 
-The YubiKey stores data on a tamper-resistant solid-state chip which is [impossible to access](https://security.stackexchange.com/a/245772) non-destructively without a expensive processes and a forensics laboratory.
+The YubiKey stores data on a tamper-resistant solid-state chip which is [impossible to access](https://security.stackexchange.com/a/245772) non-destructively without an expensive process and a forensics laboratory.
 
 These keys are generally multi-function and provide a number of methods to authenticate. Below are the most common ones.
 
@@ -48,7 +48,7 @@ Yubico OTP is an authentication protocol typically implemented in hardware secur
 
 When logging into a website, all you need to do is to physically touch the security key. The security key will emulate a keyboard and print out a one-time password into the password field.
 
-The service will then forward the one-time password to the Yubico OTP server for validation. A counter is incremented both on the key and Yubico's validation server. The OTP can only only be used once, and when a successful authentication occurs the counter is increased which prevents reuse of the OTP. Yubico provides a [detailed document](https://developers.yubico.com/OTP/OTPs_Explained.html) about the process.
+The service will then forward the one-time password to the Yubico OTP server for validation. A counter is incremented both on the key and Yubico's validation server. The OTP can only be used once, and when a successful authentication occurs, the counter is increased which prevents reuse of the OTP. Yubico provides a [detailed document](https://developers.yubico.com/OTP/OTPs_Explained.html) about the process.
 
 <figure markdown>
   ![Yubico OTP](../assets/img/multi-factor-authentication/yubico-otp.png)
@@ -56,7 +56,7 @@ The service will then forward the one-time password to the Yubico OTP server for
 
 There are some benefits and disadvantages to using Yubico OTP when compared to TOTP.
 
-The Yubico validation server is a cloud based service, and you're placing trust in Yubico that they are storing data securely and not profiling you. The public ID associated with Yubico OTP is reused on every website and could be another avenue for third parties to profile you. Like TOTP, Yubico OTP does not provide phishing resistance.
+The Yubico validation server is a cloud based service, and you're placing trust in Yubico that they are storing data securely and not profiling you. The public ID associated with Yubico OTP is reused on every website and could be another avenue for third-parties to profile you. Like TOTP, Yubico OTP does not provide phishing resistance.
 
 If your threat model requires you to have different identities on different websites, **do not** use Yubico OTP with the same hardware security key across those websites as public ID is unique to each security key.
 
@@ -66,13 +66,13 @@ If your threat model requires you to have different identities on different webs
 
 U2F and FIDO2 refer to the [Client to Authenticator Protocol](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol), which is the protocol between the security key and the computer, such as a laptop or phone. It complements WebAuthn which is the component used to authenticate with the website (the "Relying Party") you're trying to log in on.
 
-WebAuthn is the most secure and private form of second factor authentication. While the authentication experience is similar to Yubico OTP, the key does not print out a one-time password and validate with a third party server. Instead it uses [public key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) for authentication.
+WebAuthn is the most secure and private form of second factor authentication. While the authentication experience is similar to Yubico OTP, the key does not print out a one-time password and validate with a third-party server. Instead, it uses [public key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) for authentication.
 
 <figure markdown>
   ![FIDO](../assets/img/multi-factor-authentication/fido.png)
 </figure>
 
-When you create an account the public key is sent to the service, then when you log in, the service will require you to "sign" some data with your private key. The benefit of this is that no password data is ever stored by the service, so there is nothing for an adversary to steal.
+When you create an account, the public key is sent to the service, then when you log in, the service will require you to "sign" some data with your private key. The benefit of this is that no password data is ever stored by the service, so there is nothing for an adversary to steal.
 
 This presentation discusses the history of password authentication, the pitfalls (such as password reuse), and discussion of FIDO2 and [WebAuthn](https://webauthn.guide) standards.
 
@@ -84,7 +84,7 @@ FIDO2 and WebAuthn have superior security and privacy properties when compared t
 
 Typically for web services it is used with WebAuthn which is a part of the [W3C recommendations](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC)). It uses public key authentication and is more secure than shared secrets used in Yubico OTP and TOTP methods, as it includes the origin name (usually, the domain name) during authentication. Attestation is provided to protect you from phishing attacks, as it helps you to determine that you are using the authentic service and not a fake copy.
 
-Unlike Yubico OTP, WebAuthn does not use any public ID, so the key is **not** identifiable across different websites. It also does not use any third party cloud server for authentication. All communication is completed between the key and the website you are logging into. FIDO also uses a counter which is incremented upon use in order to prevent session reuse and cloned keys.
+Unlike Yubico OTP, WebAuthn does not use any public ID, so the key is **not** identifiable across different websites. It also does not use any third-party cloud server for authentication. All communication is completed between the key and the website you are logging into. FIDO also uses a counter which is incremented upon use in order to prevent session reuse and cloned keys.
 
 If a website or service supports WebAuthn for the authentication, it is highly recommended that you use it over any other form of MFA.
 
@@ -98,13 +98,13 @@ When configuring your MFA method, keep in mind that it is only as secure as your
 
 ### Backups
 
-You should always have backups for your MFA method. Hardware security keys can get lost, stolen, or simply stop working over time. It is recommended that you have a pair of hardware security keys with the same access to your accounts instead of just one.
+You should always have backups for your MFA method. Hardware security keys can get lost, stolen or simply stop working over time. It is recommended that you have a pair of hardware security keys with the same access to your accounts instead of just one.
 
-When using TOTP with an authenticator app, be sure to back up your recovery keys or the app itself, or copy the "shared secrets" to another instance of the app on a different phone or to an encrypted container (e.g [VeraCrypt](../encryption.md#veracrypt)).
+When using TOTP with an authenticator app, be sure to back up your recovery keys or the app itself, or copy the "shared secrets" to another instance of the app on a different phone or to an encrypted container (e.g. [VeraCrypt](../encryption.md#veracrypt)).
 
 ### Initial Set Up
 
-When buying a security key, it is important that you change the default credentials, set up password protection for the key, and enable touch confirmation if your key supports it. Products such as the YubiKey) have multiple interfaces with separate credentials for each one of them, so you should go over each interface and set up protection as well.
+When buying a security key, it is important that you change the default credentials, set up password protection for the key, and enable touch confirmation if your key supports it. Products such as the YubiKey have multiple interfaces with separate credentials for each one of them, so you should go over each interface and set up protection as well.
 
 ### Email and SMS
 
@@ -142,7 +142,7 @@ The command will prevent an adversary from bypassing MFA when the computer boots
 
     If the hostname of your system changes (such as due to DHCP), you would be unable to login. It is vital that you set up a proper hostname for your computer before following this guide.
 
-The `pam_u2f` module on Linux can provide two factor authentication for logging in on most popular Linux distributions. If you have a hardware security key that supports U2F, you can set up MFA authentication for your login. Yubico has a guide [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) which should work on any distribution. The package manager commands—such as `apt-get`—and package names may however differ. This guide does **not** apply to Qubes OS.
+The `pam_u2f` module on Linux can provide two-factor authentication for logging in on most popular Linux distributions. If you have a hardware security key that supports U2F, you can set up MFA authentication for your login. Yubico has a guide [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) which should work on any distribution. The package manager commands—such as `apt-get`—and package names may however differ. This guide does **not** apply to Qubes OS.
 
 ### Qubes OS
 
@@ -160,6 +160,6 @@ SSH MFA can also be set up using TOTP. DigitalOcean has provided a tutorial [How
 
 ### KeePass (and KeePassXC)
 
-KeePass and KeePassXC databases can be secured using Challenge-Response or HOTP as a second factor authentication. Yubico has provided a document for KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) and there is also one on the [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) website.
+KeePass and KeePassXC databases can be secured using Challenge-Response or HOTP as a second-factor authentication. Yubico has provided a document for KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) and there is also one on the [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) website.
 
 --8<-- "includes/abbreviations.en.md"

docs/basics/threat-modeling.en.md

@@ -3,7 +3,7 @@ title: "Threat Modeling"
 icon: 'material/target-account'
 ---
 
-Balancing security, privacy, and usability is one of the first and most difficult tasks you'll face on your privacy journey. Everything is a trade-off: The more secure something is, the more restricting or inconvenient it generally is, et cetera. Often people find that the problem with the tools they see recommended is they're just too hard to start using!
+Balancing security, privacy and usability is one of the first and most difficult tasks you'll face on your privacy journey. Everything is a trade-off: The more secure something is, the more restricting or inconvenient it generally is, et cetera. Often people find that the problem with the tools they see recommended is they're just too hard to start using!
 
 If you wanted to use the **most** secure tools available, you'd have to sacrifice *a lot* of usability. And even then, ==nothing is ever fully secure.== There's **high** security, but never **full** security. That's why threat models are important.
 
@@ -31,11 +31,11 @@ An “asset” is something you value and want to protect. In the context of dig
 
 ### Who do I want to protect it from?
 
-To answer this question, it's important to identify who might want to target you or your information. ==A person or entity that poses a threat to your assets is an “adversary.”== Examples of potential adversaries are your boss, your former partner, your business competition, your government, or a hacker on a public network.
+To answer this question, it's important to identify who might want to target you or your information. ==A person or entity that poses a threat to your assets is an “adversary”.== Examples of potential adversaries are your boss, your former partner, your business competition, your government, or a hacker on a public network.
 
-*Make a list of your adversaries, or those who might want to get ahold of your assets. Your list may include individuals, a government agency, or corporations.*
+*Make a list of your adversaries or those who might want to get ahold of your assets. Your list may include individuals, a government agency, or corporations.*
 
-Depending on who your adversaries are, under some circumstances this list might be something you want to destroy after you're done security planning.
+Depending on who your adversaries are, under some circumstances, this list might be something you want to destroy after you're done security planning.
 
 ### How likely is it that I will need to protect it?
 
@@ -61,7 +61,7 @@ Security planning involves understanding how bad the consequences could be if an
 
 ==There is no perfect option for security.== Not everyone has the same priorities, concerns, or access to resources. Your risk assessment will allow you to plan the right strategy for you, balancing convenience, cost, and privacy.
 
-For example, an attorney representing a client in a national security case may be willing to go to greater lengths to protect communications about that case, such as using encrypted email, than a mother who regularly emails her daughter funny cat videos.
+For example, an attorney representing a client in a national security case may be willing to go to greater lengths to protect communications about that case, such as using encrypted email than a mother who regularly emails her daughter funny cat videos.
 
 *Write down what options you have available to you to help mitigate your unique threats. Note if you have any financial constraints, technical constraints, or social constraints.*
 
@@ -69,7 +69,7 @@ For example, an attorney representing a client in a national security case may b
 
 These questions can apply to a wide variety of situations, online and offline. As a generic demonstration of how these questions work, let's build a plan to keep your house and possessions safe.
 
-**What do you want to protect? (Or, *what do you have that is worth protecting?*)**
+**What do you want to protect? (Or *what do you have that is worth protecting?*)**
 
 :   Your assets might include jewelry, electronics, important documents, or photos.
 
@@ -89,7 +89,7 @@ These questions can apply to a wide variety of situations, online and offline. A
 
 :   Are you willing to buy a safe for sensitive documents? Can you afford to buy a high-quality lock? Do you have time to open a security box at your local bank and keep your valuables there?
 
-Only once you have asked yourself these questions will you be in a position to assess what measures to take. If your possessions are valuable, but the probability of a break-in is low, then you may not want to invest too much money in a lock. But, if the probability of a break-in is high, you'll want to get the best lock on the market, and consider adding a security system.
+Only once you have asked yourself these questions will you be in a position to assess what measures to take. If your possessions are valuable, but the probability of a break-in is low, then you may not want to invest too much money in a lock. But, if the probability of a break-in is high, you'll want to get the best lock on the market and consider adding a security system.
 
 Making a security plan will help you to understand the threats that are unique to you and to evaluate your assets, your adversaries, and your adversaries' capabilities, along with the likelihood of risks you face.
 

docs/basics/tor-overview.md

@@ -11,9 +11,27 @@ Tor works by routing your traffic through a network comprised of thousands of vo
 
 Every time you connect to Tor, it will choose three nodes to build a path to the internet—this path is called a "circuit." Each of these nodes has its own function:
 
-- **The Entry Node**: Often called the guard node, this is the first node your computer connects to. The entry node sees your IP address, but does not see what you are connecting to. Unlike the other nodes, the Tor client will randomly select an entry node, and stick with it for 2 to 3 months to protect you from certain attacks.
-- **The Middle Node**: The second node to which your Tor client connects. This node can see which node traffic came from (the entry node) and which it goes to next. It does not, however, see your IP address, or the domain you are connecting to. This node is randomly picked from all Tor nodes for each circuit.
-- **The Exit Node**: This is where your traffic leaves the Tor network and is forwarded to your desired destination. The exit node does not know your IP (who you are) but it knows what you are connecting to. The exit node will, like the middle node, be chosen at random from the Tor nodes (if it runs with an exit flag).
+### The Entry Node
+
+The entry node, often called the guard node, is the first node to which your Tor client connects. The entry node is able to see your IP address, however it is unable to see what you are connecting to.
+
+Unlike the other nodes, the Tor client will randomly select an entry node and stick with it for two to three months to protect you from certain attacks.[^1]
+
+[^1]: The first relay in your circuit is called an "entry guard" or "guard". It is a fast and stable relay that remains the first one in your circuit for 2-3 months in order to protect against a known anonymity-breaking attack. The rest of your circuit changes with every new website you visit, and all together these relays provide the full privacy protections of Tor. For more information on how guard relays work, see this [blog post](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) and [paper](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) on entry guards. ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/))
+
+### The Middle Node
+
+The middle node is the second node to which your Tor client connects. It can see which node the traffic came from—the entry node—and to which node it goes to next. The middle node cannot, see your IP address or the domain you are connecting to.
+
+For each new circuit, the middle node is randomly selected out of all available Tor nodes.
+
+### The Exit Node
+
+The exit node is the point in which your web traffic leaves the Tor network and is forwarded to your desired destination. The exit node is unable to see your IP address, but it does know what site it's connecting to.
+
+The exit node will be chosen at random from all available Tor nodes ran with an exit relay flag.[^2]
+
+[^2]: Relay flag: a special (dis-)qualification of relays for circuit positions (for example, "Guard", "Exit", "BadExit"), circuit properties (for example, "Fast", "Stable"), or roles (for example, "Authority", "HSDir"), as assigned by the directory authorities and further defined in the directory protocol specification. ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html))
 
 <figure markdown>
   ![Tor path](../assets/img/how-tor-works/tor-path.svg#only-light)
@@ -23,34 +41,39 @@ Every time you connect to Tor, it will choose three nodes to build a path to the
 
 ## Encryption
 
-Tor encrypts each packet three times, with the keys from the exit, middle, and entry node in that order. Once Tor has built a circuit, browsing is done as follows:
+Tor encrypts each packet (a block of transmitted data) three times with the keys from the exit, middle, and entry node—in that order.
 
-1. When the packet arrives at the entry node the first layer of encryption is removed. In this encrypted packet it will find another encrypted packet with the middle node’s address. The entry node will then forward that to the middle node.
+Once Tor has built a circuit, data transmission is done as follows:
 
-2. When the middle node receives the packet from the entry node, it too will remove a layer of encryption with its key, and find an encrypted packet with the exit nodes address. The middle node will then forward the packet to exit node.
+1. Firstly: when the packet arrives at the entry node, the first layer of encryption is removed. In this encrypted packet, the entry node will find another encrypted packet with the middle node’s address. The entry node will then forward the packet to the middle node.
 
-3. When the exit node receives its packet, it will remove the last layer of encryption with its key. The exit node will see the destination address and forward the packet to that address.
+2. Secondly: when the middle node receives the packet from the entry node, it too will remove a layer of encryption with its key, and this time finds an encrypted packet with the exit node's address. The middle node will then forward the packet to the exit node.
 
-Here is an alternative visualization of the process. Note how each node removes its own layer of encryption, and when the destination website returns data, the same process happens entirely in reverse. For example, the exit node does not know who you are, but it does know which node it came from, and so it adds its own layer of encryption and sends it back.
+3. Lastly: when the exit node receives its packet, it will remove the last layer of encryption with its key. The exit node will see the destination address and forward the packet to that address.
+
+Below is an alternative diagram showing the process. Each node removes its own layer of encryption, and when the destination server returns data, the same process happens entirely in reverse. For example, the exit node does not know who you are, but it does know which node it came from, and so it adds its own layer of encryption and sends it back.
 
 <figure markdown>
   ![Tor encryption](../assets/img/how-tor-works/tor-encryption.svg#only-light)
   ![Tor encryption](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark)
-  <figcaption>Sending and recieving data through the Tor Network</figcaption>
+  <figcaption>Sending and receiving data through the Tor Network</figcaption>
 </figure>
 
-So, what do we learn from this? We learn that Tor allows us to connect to a website without any single party knowing the entire path. The entry node knows who you are, but not where you are going; the middle node doesn’t know who you are or where you are going; and the exit node knows where you are going, but not who you are. Because the exit node makes the connection, the destination website will never know who you are (your IP address).
+Tor allows us to connect to a server without any single party knowing the entire path. The entry node knows who you are, but not where you are going; the middle node doesn’t know who you are or where you are going; and the exit node knows where you are going, but not who you are. Because the exit node is what makes the final connection, the destination server will never know your IP address.
 
-## Drawbacks
+## Caveats
 
-Even with the strong privacy guarantees that Tor provides, one must be aware that Tor is not infallible. Global adversaries with the capability to passively watch most network traffic over the globe have a chance of deanonymizing Tor via advanced traffic analysis. Furthermore, Tor does not protect you from exposing yourself. If you share to much data about your real identity, you may be deanonymized.
+Though Tor does provide strong privacy guarantees, one must be aware that Tor is not perfect:
 
-Another downside is that exit nodes can watch your traffic, even if they do not know where it came from. This is especially problematic for websites which do not utilize HTTPS, meaning that the exit node can read all data that’s being sent through it. This in turn can lead to deanonymization if the traffic contains personal data.
+- Well-funded adversaries with the capability to passively watch most network traffic over the globe have a chance of deanonymizing Tor users by means of advanced traffic analysis. Nor Tor does not protect you from exposing yourself by mistake, such as if you share to much information about your real identity.
+- Tor exit nodes can also monitor traffic that passes through them. This means traffic which is not encrypted, such as plain HTTP traffic, can be recorded and monitored. If such traffic contains personally identifiable information, then it can deanonymize you to that exit node. Thus, we recommend using HTTPS over Tor where possible.
 
-We recommend using HTTPS over Tor where possible, but do not alter any settings inside Tor Browser aside from the built-in security slider, including not manually enabling HTTPS only mode, as this can be used for browser fingerprinting.
+If you wish to use Tor for browsing the web, we only recommend the **official** Tor Browser—it is designed to prevent fingerprinting.
 
-If you are interested in trying out Tor we recommend using the official Tor Browser. Keep in mind that you should expect added network latency and reduced bandwidth because of the multi-hop routing nature of Tor.
+- [Browsers: Tor Browser :hero-arrow-circle-right-fill:](../browsers.md#tor-browser)
 
-## Further Reading
+## Additional Resources
 
-For people who want to know more about the Tor project and the Tor Browser, we recommend reading the [Tor Browser manual](https://tb-manual.torproject.org/about/).
+- [Tor Browser User Manual](https://tb-manual.torproject.org)
+- [How Tor Works - Computerphile](https://www.youtube-nocookie.com/embed/QRYzre4bf7I) <small>(YouTube)</small>
+- [Tor Onion Services - Computerphile](https://www.youtube-nocookie.com/embed/lVcbq_a5N9I) <small>(YouTube)</small>

docs/basics/vpn-overview.en.md

@@ -3,19 +3,19 @@ title: VPN Overview
 icon: material/vpn
 ---
 
-Virtual Private Networks are a way of extending the end of your network to exit somewhere else in the world. An ISP can see the flow of internet traffic entering and exiting your network termination device (ie. modem).
+Virtual Private Networks are a way of extending the end of your network to exit somewhere else in the world. An ISP can see the flow of internet traffic entering and exiting your network termination device (i.e. modem).
 
-Encryption protocols such as HTTPS are commonly used on the internet, so they may not be able to see exactly what you're posting or reading but they can get an idea of the [domains you request](/basics/dns.md/#why-shouldnt-i-use-encrypted-dns).
+Encryption protocols such as HTTPS are commonly used on the internet, so they may not be able to see exactly what you're posting or reading but they can get an idea of the [domains you request](dns-overview.md#why-shouldnt-i-use-encrypted-dns).
 
 A VPN can help as it can shift trust to a server somewhere else in the world. As a result, the ISP then only sees that you are connected to a VPN and nothing about the activity that you're passing into it.
 
 ## Should I use a VPN?
 
-**Yes**, unless you are already using Tor. A VPN does 2 things: shifting the risks from your Internet Service Provider to itself and hiding your IP from a third party service.
+**Yes**, unless you are already using Tor. A VPN does two things: shifting the risks from your Internet Service Provider to itself and hiding your IP from a third-party service.
 
 VPNs cannot encrypt data outside of the connection between your device and the VPN server. VPN providers can see and modify your traffic the same way your ISP could. And there is no way to verify a VPN provider's "no logging" policies in any way.
 
-However, they do hide your actual IP from a third party service, provided that there are no IP leaks. They help you blend in with others and mitigate IP based tracking.
+However, they do hide your actual IP from a third-party service, provided that there are no IP leaks. They help you blend in with others and mitigate IP based tracking.
 
 ## What about encryption?
 
@@ -25,23 +25,23 @@ In order to keep what you actually do on the websites you visit private and secu
 
 ## Should I use encrypted DNS with a VPN?
 
-Unless your VPN provider hosts the encrypted DNS servers, **no**. Using DOH/DOT (or any other form of encrypted DNS) with third party servers will simply add more entities to trust, and does **absolutely nothing** to improve your privacy/security. Your VPN provider can still see which websites you visit based on the IP addresses and other methods. Instead of just trusting your VPN provider, you are now trusting both the VPN provider and the DNS provider.
+Unless your VPN provider hosts the encrypted DNS servers, **no**. Using DOH/DOT (or any other form of encrypted DNS) with third-party servers will simply add more entities to trust and does **absolutely nothing** to improve your privacy/security. Your VPN provider can still see which websites you visit based on the IP addresses and other methods. Instead of just trusting your VPN provider, you are now trusting both the VPN provider and the DNS provider.
 
 A common reason to recommend encrypted DNS is that it helps against DNS spoofing. However, your browser should already be checking for [TLS certificates](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) with **HTTPS** and warn you about it. If you are not using **HTTPS**, then an adversary can still just modify anything other than your DNS queries and the end result will be little different.
 
-Needless to say, **you shouldn't use encrypted DNS with Tor**. This would direct all of your DNS requests through a single circuit, and would allow the encrypted DNS provider to deanonymize you.
+Needless to say, **you shouldn't use encrypted DNS with Tor**. This would direct all of your DNS requests through a single circuit and would allow the encrypted DNS provider to deanonymize you.
 
 ## Should I use Tor *and* a VPN?
 
-By using a VPN with Tor, you're creating essentially a permanent entry node, often with a money trail attached. This provides zero additional benefit to you, while increasing the attack surface of your connection dramatically. If you wish to hide your Tor usage from your ISP or your government, Tor has a built-in solution for that: Tor bridges. [Read more about Tor bridges and why using a VPN is not necessary](tor-overview.md).
+By using a VPN with Tor, you're creating essentially a permanent entry node, often with a money trail attached. This provides zero additional benefits to you, while increasing the attack surface of your connection dramatically. If you wish to hide your Tor usage from your ISP or your government, Tor has a built-in solution for that: Tor bridges. [Read more about Tor bridges and why using a VPN is not necessary](tor-overview.md).
 
 ## What if I need anonymity?
 
 VPNs cannot provide anonymity. Your VPN provider will still see your real IP address, and often has a money trail that can be linked directly back to you. You cannot rely on "no logging" policies to protect your data. Use [Tor](https://www.torproject.org/) instead.
 
-## What about VPN providers that provides Tor nodes?
+## What about VPN providers that provide Tor nodes?
 
-Do not use that feature. The point of using Tor is that you do not trust your VPN provider. Currently Tor only supports the [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) protocol. [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (used in [WebRTC](https://en.wikipedia.org/wiki/WebRTC) for voice and video sharing, the new [http3/QUIC](https://en.wikipedia.org/wiki/HTTP/3) protocol, etc), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) and other packets will be dropped. To compensate for this, VPN providers typically will route all non TCP packets through their VPN server (your first hop). This is the case with [ProtonVPN](https://protonvpn.com/support/tor-vpn/). Additionally, when using this Tor over VPN setup, you do not have control over other important Tor features such as [Isolated Destination Address](https://www.whonix.org/wiki/Stream_Isolation) (using a different Tor circuit for every domain you visit).
+Do not use that feature. The point of using Tor is that you do not trust your VPN provider. Currently Tor only supports the [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) protocol. [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (used in [WebRTC](https://en.wikipedia.org/wiki/WebRTC) for voice and video sharing, the new [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3) protocol, etc), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) and other packets will be dropped. To compensate for this, VPN providers typically will route all non-TCP packets through their VPN server (your first hop). This is the case with [ProtonVPN](https://protonvpn.com/support/tor-vpn/). Additionally, when using this Tor over VPN setup, you do not have control over other important Tor features such as [Isolated Destination Address](https://www.whonix.org/wiki/Stream_Isolation) (using a different Tor circuit for every domain you visit).
 
 Thus, this feature should be viewed as a convenient way to access the Tor Network, not to stay anonymous. For true anonymity, use the Tor Browser Bundle, TorSocks, or a Tor gateway.
 
@@ -51,7 +51,7 @@ A VPN may still be useful to you in a variety of scenarios, such as:
 
 1. Hiding your traffic from **only** your Internet Service Provider.
 2. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations.
-3. Hiding your IP from third party websites and services, preventing IP based tracking.
+3. Hiding your IP from third-party websites and services, preventing IP based tracking.
 
 For use cases like these, or if you have another compelling reason, the VPN providers we listed above are who we think are the most trustworthy. However, using a VPN provider still means you're *trusting* the provider. In pretty much any other scenario you should be using a secure**-by-design** tool such as Tor.
 

docs/calendar-contacts.en.md

@@ -2,38 +2,18 @@
 title: "Calendar and Contact Sync"
 icon: material/calendar
 ---
-Calendaring and contacts are some of the most sensitive data posess. Use only products that use E2EE at rest. This prevents a provider from reading your data.
+Calendars and contacts contain some of your most sensitive data; use products that implement E2EE at rest to prevent a provider from reading them.
 
-## Cloud/SaaS Providers
-
-These products are included with an subscription with their respective [email providers](email.md).
-
-### Proton Calendar
-
-!!! recommendation
-
-    ![Proton Calendar logo](assets/img/calendar-contacts/proton-calendar.svg){ align=right }
-
-    **Proton Calendar** is an encrypted calendar serivce available to Proton Mail members. Features include: automatic E2EE of all data, sharing features, import/export functionality, and [more](https://proton.me/support/proton-calendar-guide). Those on the free tier get access to a single calendar, whereas paid subscribers can create up to 20 calendars. Extended sharing functionality is also limited to paid subscribers. Proton Calendar is currently only available for the web and Android.
-
-    [:octicons-home-16: Homepage](https://proton.me/calendar){ .md-button .md-button--primary }
-    [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" }
-    [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=Documentation}
-    [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" }
-
-    ??? downloads
-
-        - [:octicons-browser-16: Web](https://calendar.proton.me)
-        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar)
-
-### Tutanota
+## Tutanota
 
 !!! recommendation
 
     ![Tutanota logo](assets/img/calendar-contacts/tutanota.svg#only-light){ align=right }
     ![Tutanota logo](assets/img/calendar-contacts/tutanota-dark.svg#only-dark){ align=right }
 
-    **Tutanota** offers a free and encrypted calendar across their supported platforms. Features include: automatic E2EE of all data, sharing features, import/export functionality, and [more](https://tutanota.com/calendar-app-comparison/). Multiple calendars and extended sharing functionality is limited to paid subscribers.
+    **Tutanota** offers a free and encrypted calendar across their supported platforms. Features include: automatic E2EE of all data, sharing features, import/export functionality, multi-factor authentication, and [more](https://tutanota.com/calendar-app-comparison/).
+
+    Multiple calendars and extended sharing functionality is limited to paid subscribers.
 
     [:octicons-home-16: Homepage](https://tutanota.com/calendar){ .md-button .md-button--primary }
     [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" }
@@ -52,39 +32,15 @@ These products are included with an subscription with their respective [email pr
         - [:pg-f-droid: F-Droid](https://f-droid.org/en/packages/de.tutao.tutanota)
         - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/tutanota/id922429609)
 
-## Self-hostable
-
-Some of these options are self-hostable, but could be offered by third party SaaS providers for a fee:
-
-### DecSync CC
-
-!!! recommendation
-
-    ![DecSync logo](assets/img/calendar-contacts/decsync.svg){ align=right }
-
-    **DecSync CC** synchronizes contacts, calendars and tasks using DecSync. It stores this data in a shared directory, using [Syncthing](file-sharing/#syncthing), or any other file synchronization service.
-
-    There are [plugins](https://github.com/39aldo39/DecSync#rss) to sync other types of data such as [RSS](news-aggregators.md).
-
-    [:octicons-repo-16: Repository](https://github.com/39aldo39/DecSync){ .md-button .md-button--primary }
-    [:octicons-info-16:](https://github.com/39aldo39/DecSync/blob/master/design.md){ .card-link title=Documentation}
-    [:octicons-code-16:](https://github.com/39aldo39/DecSync){ .card-link title="Source Code" }
-    [:octicons-heart-16:](https://github.com/39aldo39/DecSync#donations){ .card-link title=Contribute }
-
-    ??? downloads
-
-        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=org.decsync.cc)
-        - [:pg-f-droid: F-Droid](https://f-droid.org/packages/org.decsync.cc)
-
-### EteSync
+## EteSync
 
 !!! recommendation
 
     ![EteSync logo](assets/img/calendar-contacts/etesync.svg){ align=right }
 
-    **EteSync** is a secure, end-to-end encrypted, and privacy-respecting cloud backup and synchronization software for your personal information (e.g. contacts and calendars). There are native clients for Android, iOS, and the web, and an adapter layer for most desktop clients.
+    **EteSync** is a secure, end-to-end encrypted, and privacy-respecting cloud backup and synchronization software for your personal information, including contacts and calendars. There are native clients for Android, iOS, with a web client and an adapter layer for most desktop clients available too. Etesync does [not](https://www.etesync.com/faq/#2fa) currently support multi-factor authentication.
 
-    EteSync also offers optional software as a service for [$24 per year](https://dashboard.etebase.com/user/partner/pricing/) to use, or you can host the server yourself for free.
+    EteSync offers a SaaS for [$24/year](https://dashboard.etebase.com/user/partner/pricing/), or you can host the server yourself for free.
 
     [:octicons-home-16: Homepage](https://www.etesync.com){ .md-button .md-button--primary }
     [:octicons-eye-16:](https://www.etesync.com/tos/#privacy){ .card-link title="Privacy Policy" }
@@ -95,34 +51,32 @@ Some of these options are self-hostable, but could be offered by third party Saa
     ??? downloads
 
         - [:octicons-device-desktop-16: Client Setup](https://github.com/etesync/etesync-dav/blob/master/README.md#specific-client-notes-and-instructions)
-        - [:fontawesome-brands-google-play: Google PLay](https://play.google.com/store/apps/details?id=com.etesync.syncadapter)
+        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.etesync.syncadapter)
         - [:pg-f-droid: F-Droid](https://f-droid.org/app/com.etesync.syncadapter)
         - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/apple-store/id1489574285)
+        - [:fontawesome-brands-docker: Docker Hub](https://hub.docker.com/r/victorrds/etesync)
 
-### Nextcloud
+## Proton Calendar
 
 !!! recommendation
 
-    ![Nextcloud logo](assets/img/calendar-contacts/nextcloud.svg){ align=right }
+    ![Proton](assets/img/calendar-contacts/proton-calendar.svg){ align=right }
 
-    **Nextcloud** is a suite of client-server software for creating and using file hosting services. This includes calendar sync via CalDAV and contacts sync via CardDAV. Nextcloud is free and open-source, thereby allowing anyone to install and operate it without charge on a private server.
+    **Proton Calendar** is an encrypted calendar service available to Proton members via web or mobile clients. Features include: automatic E2EE of all data, sharing features, import/export functionality, and [more](https://proton.me/support/proton-calendar-guide). Those on the free tier get access to a single calendar, whereas paid subscribers can create up to 20 calendars. Extended sharing functionality is also limited to paid subscribers.
 
-    You can self-host Nextcloud or pay for service from a [provider](https://nextcloud.com/signup/).
+    **Proton Mail** can be used to synchronize contacts. Likewise, the service is currently only available via the web and mobile clients.
 
-    [:octicons-home-16: Homepage](https://nextcloud.com/){ .md-button .md-button--primary }
-    [:octicons-eye-16:](https://nextcloud.com/privacy/){ .card-link title="Privacy Policy" }
-    [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation}
-    [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" }
-    [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute }
+    [:octicons-home-16: Homepage](https://proton.me/calendar){ .md-button .md-button--primary }
+    [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" }
+    [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=Documentation}
+    [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" }
 
     ??? downloads
 
-        - [:fontawesome-brands-windows: Windows](https://nextcloud.com/install/#install-clients)
-        - [:fontawesome-brands-apple: macOS](https://nextcloud.com/install/#install-clients)
-        - [:fontawesome-brands-linux: Linux](https://nextcloud.com/install/#install-clients)
-        - [:pg-flathub: Flatpak](https://flathub.org/apps/details/com.nextcloud.desktopclient.nextcloud)
-        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client)
-        - [:pg-f-droid: F-Droid](https://f-droid.org/packages/com.nextcloud.client)
-        - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/nextcloud/id1125420102)
+        - [:octicons-browser-16: Web](https://calendar.proton.me)
+        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar)
+
+!!! warning
+    Proton [does not](https://proton.me/support/proton-contacts#verify) use E2EE for your contact names and email addresses.
 
 --8<-- "includes/abbreviations.en.md"

docs/cloud.en.md

@@ -48,7 +48,7 @@ If these alternatives do not fit your needs, we suggest you look into [Encryptio
 
 We recommend checking if your Nextcloud provider supports E2EE, otherwise you have to trust the provider to not look at your files.
 
-When self-hosting Nextcloud, you should also enable E2EE to protect against your hosting provider snooping on your data.
+When self-hosting, you should also enable E2EE to protect against your hosting provider snooping on your data.
 
 ## Proton Drive
 
@@ -67,29 +67,4 @@ Proton Drive is currently in beta and only is only available through a web clien
 
 When using a web client, you are placing trust in the server to send you proper JavaScript code to derive the decryption key and authentication token locally in your browser. A compromised server can send you malicious JavaScript code to steal your master password and decrypt your data. If this does not fit your [threat model](basics/threat-modeling.md), consider using an alternative.
 
-## Tahoe-LAFS
-
-!!! note
-
-    Due to the complexity of the system and the amount of nodes needed to set it up, Tahoe-LAFS is only recommended for seasoned system administrators.
-
-!!! recommendation
-
-    ![Tahoe-LAFS logo](./assets/img/cloud/tahoe-lafs.svg#only-light){ align=right }
-    ![Tahoe-LAFS logo](./assets/img/cloud/tahoe-lafs-dark.svg#only-dark){ align=right }
-
-    **Tahoe-LAFS** is a free, open, and decentralized cloud storage system. It distributes your data across multiple servers. Even if some of the servers fail or are taken over by an attacker, the entire file store continues to function correctly, preserving your privacy and security. The servers used as storage pools do not have access to your data.
-
-    [:octicons-home-16: Homepage](https://www.tahoe-lafs.org){ .md-button .md-button--primary }
-    [:octicons-info-16:](https://tahoe-lafs.readthedocs.io/en/latest/){ .card-link title=Documentation}
-    [:octicons-code-16:](https://www.tahoe-lafs.org/trac/tahoe-lafs/browser){ .card-link title="Source Code" }
-    [:octicons-heart-16:](https://tahoe-lafs.readthedocs.io/en/latest/donations.html){ .card-link title=Contribute }
-
-    ??? downloads
-
-        - [:fontawesome-brands-windows: Windows](https://tahoe-lafs.readthedocs.io/en/latest/Installation/install-tahoe.html#microsoft-windows)
-        - [:fontawesome-brands-apple: macOS](https://tahoe-lafs.readthedocs.io/en/latest/Installation/install-tahoe.html#linux-bsd-or-macos)
-        - [:fontawesome-brands-linux: Linux](https://tahoe-lafs.readthedocs.io/en/latest/Installation/install-tahoe.html#linux-bsd-or-macos)
-        - [:pg-netbsd: NetBSD](https://tahoe-lafs.readthedocs.io/en/latest/Installation/install-tahoe.html#linux-bsd-or-macos)
-
 --8<-- "includes/abbreviations.en.md"

docs/desktop-browsers.en.md

@@ -1,10 +1,8 @@
 ---
-title: "Web Browsers"
+title: "Desktop Browsers"
 icon: octicons/browser-16
 ---
-These are our currently recommended web browsers and configurations. In general, we recommend keeping extensions to a minimum: they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation.
-
-## General Recommendations
+These are our currently recommended desktop web browsers and configurations. In general, we recommend keeping extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation.
 
 ### Tor Browser
 
@@ -14,7 +12,9 @@ These are our currently recommended web browsers and configurations. In general,
 
     **Tor Browser** is the choice if you need anonymity, as it provides you with access to the Tor Bridges and [Tor Network](https://en.wikipedia.org/wiki/Tor_(network)), along with settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*.
 
-    The Tor Browser is designed to prevent fingerprinting, or identifying you based on your browser configuration. Therefore, it is imperative that you do **not** modify the browser beyond the default security levels.
+    The Tor Browser is designed to prevent fingerprinting, or identifying you based on your browser configuration. Therefore, it is imperative that you do **not** modify the browser beyond the default [security levels](https://tb-manual.torproject.org/security-settings/).
+
+    For further information about the Tor Browser, we suggest taking a look at the [manual](https://tb-manual.torproject.org/about/).
 
     [:octicons-home-16: Homepage](https://www.torproject.org){ .md-button .md-button--primary }
     [:pg-tor:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title=Onion }
@@ -28,13 +28,10 @@ These are our currently recommended web browsers and configurations. In general,
         - [:fontawesome-brands-apple: macOS](https://www.torproject.org/download/)
         - [:fontawesome-brands-linux: Linux](https://www.torproject.org/download/)
         - [:pg-flathub: Flatpak](https://flathub.org/apps/details/com.github.micahflee.torbrowser-launcher)
-        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser)
-        - [:pg-f-droid: F-Droid](https://guardianproject.info/fdroid/)
 
 !!! danger
-    You should **never** install any additional extensions on Tor Browser, including the ones we suggest for Firefox. Browser extensions make you stand out from others on the Tor network, thus making your browser easier to [fingerprint](https://support.torproject.org/glossary/browser-fingerprinting).
 
-## Desktop Recommendations
+    You should **never** install any additional extensions on Tor Browser, including the ones we suggest for Firefox. Nor should you manually enable HTTPS-only mode or edit `about:config` settings. Browser extensions and non-standard settings make you stand out from others on the Tor network, thus making your browser easier to [fingerprint](https://support.torproject.org/glossary/browser-fingerprinting).
 
 ### Firefox
 
@@ -62,7 +59,7 @@ These are our currently recommended web browsers and configurations. In general,
 
 #### Recommended Configuration
 
-Tor Browser is the only way to truly browse the internet anonymously. When you use Firefox we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than [Tor Browser](#tor-browser) will be traceable by *somebody* in some regard or another.
+Tor Browser is the only way to truly browse the internet anonymously. When you use Firefox, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than [Tor Browser](#tor-browser) will be traceable by *somebody* in some regard or another.
 
 These options can be found in :material-menu: → **Settings** → **Privacy & Security**.
 
@@ -118,12 +115,10 @@ The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of ca
 
     ![Brave logo](assets/img/browsers/brave.svg){ align=right }
 
-    **Brave Browser** includes a built in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default.
+    **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default.
 
     Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues.
 
-    We don't recommend Brave's mobile browser offerings as there are better [options](#mobile-recommendations) for mobile platforms.
-
     [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary }
     [:pg-tor:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title=Onion }
     [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" }
@@ -140,7 +135,7 @@ The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of ca
 
 #### Recommended Configuration
 
-Tor Browser is the only way to truly browse the internet anonymously. When you use Brave we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](#tor-browser) will be traceable by *somebody* in some regard or another.
+Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](#tor-browser) will be traceable by *somebody* in some regard or another.
 
 These options can be found in :material-menu: → **Settings**.
 
@@ -152,6 +147,7 @@ Shields' options can be downgraded on a per-site basis as needed, but by default
 
 <div class="annotate" markdown>
 
+- [x] Select **Prevent sites from fingerprinting me based on my language preferences**
 - [x] Select **Aggressive** under Trackers & ads blocking
 
     ??? warning "Use default filter lists"
@@ -170,7 +166,7 @@ Shields' options can be downgraded on a per-site basis as needed, but by default
 
 ##### Privacy and Security
 
-- [ ] Select **Disable Non-Proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc)
+- [x] Select **Disable Non-Proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc)
 - [ ] Uncheck **Use Google services for push messaging**
 - [ ] Uncheck **Allow privacy-preserving product analytics (P3A)**
 - [ ] Uncheck **Automatically send daily usage ping to Brave**
@@ -199,11 +195,11 @@ Disable built-in extensions you do not use in **Extensions**
 
 InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it.
 
-- [ ] Select **Disabled** on Method to resolve IPFS resources
+- [x] Select **Disabled** on Method to resolve IPFS resources
 
 ##### Additional settings
 
-Under the system *System* menu
+Under the *System* menu
 
 <div class="annotate" markdown>
 
@@ -213,106 +209,6 @@ Under the system *System* menu
 
 1. This option is not present on all platforms.
 
-## Mobile Recommendations
-
-On Android, Firefox is still less secure than Chromium-based alternatives: Mozilla's engine, [GeckoView](https://mozilla.github.io/geckoview/), has yet to support [site isolation](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) or enable [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196).
-
-On iOS, any app that can browse the web is [restricted](https://developer.apple.com/app-store/review/guidelines) to using an Apple-provided [WebKit framework](https://developer.apple.com/documentation/webkit), so there is little reason to use a third-party web browser.
-
-### Bromite
-
-!!! recommendation
-
-    ![Bromite logo](assets/img/browsers/bromite.svg){ align=right }
-
-    **Bromite** is a Chromium-based browser with privacy and security enhancements, built-in ad blocking, and some fingerprinting randomization.
-
-    [:octicons-home-16: Homepage](https://www.bromite.org){ .md-button .md-button--primary }
-    [:octicons-eye-16:](https://www.bromite.org/privacy){ .card-link title="Privacy Policy" }
-    [:octicons-info-16:](https://github.com/bromite/bromite/wiki){ .card-link title=Documentation}
-    [:octicons-code-16:](https://github.com/bromite/bromite){ .card-link title="Source Code" }
-    [:octicons-heart-16:](https://github.com/bromite/bromite#donate){ .card-link title=Contribute }
-
-    ??? downloads annotate
-
-        - [:pg-f-droid: F-Droid](https://www.bromite.org/fdroid) (1)
-
-    1. If you use [Neo Store](/android/#neo-store), you can enable the *Bromite repository* in:<br> :material-dots-vertical: → **Repositories**
-
-These options can be found in :material-menu: → :gear: **Settings** → **Privacy and Security**.
-
-#### Recommended Configuration
-
-##### HTTPS-Only Mode
-
-- [x] Select **Always use secure connections**
-
-This prevents you from unintentionally connecting to a website in plain-text HTTP. The HTTP protocol is extremely uncommon nowadays, so this should have little to no impact on your day to day browsing.
-
-##### Always-on Incognito Mode
-
-- [x] Select **Open links in incognito tabs always**
-- [x] Select **Close all open tabs on exit**
-- [x] Select **Open external links in incognito**
-
-### Safari
-
-!!! recommendation
-
-    ![Safari logo](assets/img/browsers/safari.svg){ align=right }
-
-    **Safari** is the default browser in iOS. It includes [privacy features](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) such as Intelligent Tracking Protection, Privacy Report, isolated Private Browsing tabs, iCloud Private Relay, and automatic HTTPS upgrades.
-
-    [:octicons-home-16: Homepage](https://www.apple.com/safari/){ .md-button .md-button--primary }
-    [:octicons-eye-16:](https://www.apple.com/legal/privacy/data/en/safari/){ .card-link title="Privacy Policy" }
-    [:octicons-info-16:](https://support.apple.com/guide/safari/welcome/mac){ .card-link title=Documentation}
-
-#### Recommended Configuration
-
-These options can be found in :gear: **Settings** → **Safari** → **Privacy and Security**.
-
-##### Cross-Site Tracking Prevention
-
-- [x] Enable **Prevent Cross-Site Tracking**
-
-This enables WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp). The feature helps protect against unwanted tracking by using on-device machine learning to stop trackers. ITP protects against many common threats, but it does not block all tracking avenues because it is designed to not interfere with website usability.
-
-##### Privacy Report
-
-Privacy Report provides a snapshot of cross-site trackers currently prevented from profiling you on the website you're visiting. It can also display a weekly report to show which trackers have been blocked over time.
-
-Privacy Report is accessible via the Page Settings menu (:pg-textformat-size:).
-
-##### Privacy Preserving Ad Measurement
-
-- [ ] Disable **Privacy Preserving Ad Measurement**
-
-Ad click measurement has traditionally used tracking technology that infringes on user privacy. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) is a WebKit feature and proposed web standard aimed towards allowing advertisers to measure the effectiveness of web campaigns without compromising on user privacy.
-
-The feature has little privacy concerns on its own, so while you can choose to leave it on, we consider the fact that it's automatically disabled in Private Browsing to be an indicator for disabling the feature.
-
-##### Apple Pay
-
-If you do not use Apple Pay, you can toggle off the ability for websites to check for it.
-
-- [ ] Disable **Allow websites to check for Apple Pay and Apple Card**
-
-##### Always-on Private Browsing
-
-Open Safari and tap the Tabs button, located in the bottom right. Then, expand the Tab Groups list.
-
-- [x] Select **Private**
-
-Safari's Private Browsing mode offers additional privacy protections. Private Browsing uses a new [ephemeral](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) session for each tab, meaning tabs are isolated from one another. There are also other smaller privacy benefits with Private Browsing, such as not sending a webpage’s address to Apple when using Safari's translation feature.
-
-Do note that Private Browsing does not save cookies and website data, so it won't be possible to remain signed into sites. This may be an inconvenience.
-
-##### iCloud Sync
-
-Synchronization of Safari History, Tab Groups, iCloud Tabs, and saved passwords are E2EE. However, bookmarks are [not](https://support.apple.com/en-us/HT202303). Apple can decrypt and access them in accordance with their [privacy policy](https://www.apple.com/legal/privacy/en-ww/).
-
-If you use iCloud, we also recommend checking to ensure Safari's default download location is set to locally on your device. This option can be found in :gear: **Settings** → **Safari** → **General** → **Downloads**.
-
 ## Additional Resources
 
 We generally do not recommend installing any extensions as they increase your attack surface. However, uBlock Origin or AdGuard may prove useful if you value content blocking functionality.
@@ -336,30 +232,7 @@ We generally do not recommend installing any extensions as they increase your at
         - [:fontawesome-brands-chrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm)
         - [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak)
 
-We suggest leaving the extension in its default configuration. Additional filter lists can impact performance and may increase attack surface, so only apply what you need. If there is a [vulnerability in uBlock Origin](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css) a third party filter could add malicious rules that can potentially steal user data.
-
-### AdGuard for iOS
-
-!!! recommendation
-
-    ![AdGuard logo](assets/img/browsers/adguard.svg){ align=right }
-
-    **AdGuard for iOS** is a free and open-source content-blocking extension for Safari that uses the native [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker).
-
-    AdGuard for iOS has some premium features, however the standard Safari content blocking is free of charge.
-
-    [:octicons-home-16: Homepage](https://adguard.com/en/adguard-ios/overview.html){ .md-button .md-button--primary }
-    [:octicons-eye-16:](https://adguard.com/privacy/ios.html){ .card-link title="Privacy Policy" }
-    [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=Documentation}
-    [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Source Code" }
-
-    ??? downloads
-
-        - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/app/apple-store/id1047223162)
-
-Additional filter lists do slow things down and may increase your attack surface, so only apply what you need.
-
-There is also [AdGuard for iOS](https://adguard.com/en/adguard-ios/overview.html) which is able to perform system-wide content blocking by means of DNS filtering.
+We suggest following the [developer's documentation](https://github.com/gorhill/uBlock/wiki/Blocking-mode) and picking one of the "modes". Additional filter lists can impact performance and may increase attack surface, so only apply what you need. If there is a [vulnerability in uBlock Origin](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css) a third-party filter could add malicious rules that can potentially steal user data.
 
 ### Snowflake
 
@@ -383,14 +256,17 @@ There is also [AdGuard for iOS](https://adguard.com/en/adguard-ios/overview.html
         - [:fontawesome-brands-chrome: Chrome](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie){ .card-link title=Chrome }
         - [:octicons-browser-16: Web](https://snowflake.torproject.org/embed "Leave this page open to be a Snowflake proxy")
 
+??? tip "Embedded Snowflake"
+
+    You can enable Snowflake in your browser by clicking the switch below and ==leaving this page open==. You can also install Snowflake as a browser extension to have it always run while your browser is open, however adding third-party extensions can increase your attack surface.
+
+    <center><iframe src="https://snowflake.torproject.org/embed.html" width="320" height="240" frameborder="0" scrolling="no"></iframe></center>
+    <small>If the embed does not appear for you, ensure you are not blocking the third-party frame from `torproject.org`. Alternatively, visit [this page](https://snowflake.torproject.org/embed.html).</small>
+
 Snowflake does not increase your privacy in any way, nor is it used to connect to the Tor network within your personal browser. However, if your internet connection is uncensored, you should consider running it to help people in censored networks achieve better privacy themselves. There is no need to worry about which websites people are accessing through your proxy—their visible browsing IP address will match their Tor exit node, not yours.
 
 Running a Snowflake proxy is low-risk, even moreso than running a Tor relay or bridge which are already not particularly risky endeavours. However, it does still proxy traffic through your network which can be impactful in some ways, especially if your network is bandwidth-limited. Make sure you understand [how Snowflake works](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) before deciding whether to run a proxy.
 
-You can enable Snowflake in your browser by clicking the switch below and ==leaving this page open==. You can also install Snowflake as a browser extension to have it always run while your browser is open, however adding third-party extensions can increase your attack surface.
-
-<center><iframe src="https://snowflake.torproject.org/embed.html" width="320" height="240" frameborder="0" scrolling="no"></iframe></center>
-
 ### Terms of Service; Didn't Read
 
 !!! recommendation

docs/dns.en.md

@@ -5,9 +5,9 @@ icon: material/dns
 
 !!! faq "Should I use encrypted DNS?"
 
-    Encrypted DNS with third party servers should only be used to get around basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences. Encrypted DNS will not help you hide any of your browsing activity.
+    Encrypted DNS with third-party servers should only be used to get around basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences. Encrypted DNS will not help you hide any of your browsing activity.
 
-    [Learn more about DNS](basics/dns.md){ .md-button }
+    [Learn more about DNS](basics/dns-overview.md){ .md-button }
 
 ## Recommended Providers
 
@@ -15,22 +15,24 @@ icon: material/dns
 | ------------ | -------------- | --------- | ------- | --- | --------- |
 | [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Cleartext <br> DoH <br> DoT <br> DNSCrypt | Some[^1] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS)
 | [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Cleartext <br> DoH <br> DoT | Some[^2] | No | Based on server choice.|
-| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | DoH <br> DoT | No[^3] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock)
-| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Cleartext <br> DoH <br> DoT <br> DNSCrypt | Optional[^4] | Optional | Based on server choice. |
-| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Cleartext <br> DoH <br> DoT <br> DNSCrypt | Some[^5] | Optional |  Based on server choice, Malware blocking by default. |
+| [**Control D**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Cleartext <br> DoH <br> DoT <br> DNSCrypt | Optional[^3] | No | Based on server choice. |
+| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | DoH <br> DoT | No[^4] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock)
+| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Cleartext <br> DoH <br> DoT <br> DNSCrypt | Optional[^5] | Optional | Based on server choice. |
+| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Cleartext <br> DoH <br> DoT <br> DNSCrypt | Some[^6] | Optional |  Based on server choice, Malware blocking by default. |
 
 [^1]: AdGuard stores aggregated performance metrics of their DNS servers, namely the number of complete requests to a particular server, the number of blocked requests, and the speed of processing requests. They also keep and store the database of domains requested in within last 24 hours. "We need this information to identify and block new trackers and threats." "We also log how many times this or that tracker has been blocked. We need this information to remove outdated rules from our filters." [https://adguard.com/en/privacy/dns.html](https://adguard.com/en/privacy/dns.html)
 [^2]: Cloudflare collects and stores only the limited DNS query data that is sent to the 1.1.1.1 resolver. The 1.1.1.1 resolver service does not log personal data, and the bulk of the limited non-personally identifiable query data is stored only for 25 hours. [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/)
-[^3]: Mullvad's DNS service is available to both subscribers and non-subscribers of Mullvad VPN. Their privacy policy explicitly claims they do not log DNS requests in any way. [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/)
-[^4]: NextDNS can provide insights and logging features on an opt-in basis. You can choose retention times and log storage locations for any logs you choose to keep. If it's not specifically requested, no data is logged. [https://nextdns.io/privacy](https://nextdns.io/privacy)
-[^5]: Quad9 collects some data for the purposes of threat monitoring and response. That data may then be remixed and shared, such as for the purpose of security research. Quad9 does not collect or record IP addresses or other data they deem personally identifiable. [https://www.quad9.net/privacy/policy/](https://www.quad9.net/privacy/policy/)
+[^3]: Control D only logs for Premium resolvers with custom DNS profiles. Free resolvers do not log data. [https://controld.com/privacy](https://controld.com/privacy)
+[^4]: Mullvad's DNS service is available to both subscribers and non-subscribers of Mullvad VPN. Their privacy policy explicitly claims they do not log DNS requests in any way. [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/)
+[^5]: NextDNS can provide insights and logging features on an opt-in basis. You can choose retention times and log storage locations for any logs you choose to keep. If it's not specifically requested, no data is logged. [https://nextdns.io/privacy](https://nextdns.io/privacy)
+[^6]: Quad9 collects some data for the purposes of threat monitoring and response. That data may then be remixed and shared, such as for the purpose of security research. Quad9 does not collect or record IP addresses or other data they deem personally identifiable. [https://www.quad9.net/privacy/policy/](https://www.quad9.net/privacy/policy/)
 
 The criteria for the servers listed above are:
 
-- Must support [DNSSEC](basics/dns.md#what-is-dnssec)
+- Must support [DNSSEC](basics/dns-overview.md#what-is-dnssec)
 - Must have [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) support
-- [QNAME Minimization](basics/dns.md#what-is-qname-minimization)
-- Allow for [ECS](basics/dns.md#what-is-edns-client-subnet-ecs) to be disabled
+- [QNAME Minimization](basics/dns-overview.md#what-is-qname-minimization)
+- Allow for [ECS](basics/dns-overview.md#what-is-edns-client-subnet-ecs) to be disabled
 
 ## Native Operating System Support
 
@@ -72,7 +74,7 @@ Select **Settings** &rarr; **Network & Internet** &rarr; **Ethernet or WiFi**, &
 
 ## Encrypted DNS Proxies
 
-Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](basics/dns.md#unencrypted-dns) resolver to forward to. Typically it is used on platforms that don't natively support [encrypted DNS](basics/dns.md#what-is-encrypted-dns).
+Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](basics/dns-overview.md#unencrypted-dns) resolver to forward to. Typically it is used on platforms that don't natively support [encrypted DNS](basics/dns-overview.md#what-is-encrypted-dns).
 
 ### RethinkDNS
 
@@ -81,7 +83,7 @@ Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](ba
     ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ align=right }
     ![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ align=right }
 
-    **RethinkDNS** is an open-source Android client supporting [DNS-over-HTTPS](basics/dns.md#dns-over-https-doh), [DNS-over-TLS](basics/dns.md#dns-over-tls-dot), [DNSCrypt](basics/dns.md#dnscrypt) and DNS Proxy along with caching DNS responses, locally logging DNS queries and can be used as a firewall too.
+    **RethinkDNS** is an open-source Android client supporting [DNS-over-HTTPS](basics/dns-overview.md#dns-over-https-doh), [DNS-over-TLS](basics/dns-overview.md#dns-over-tls-dot), [DNSCrypt](basics/dns-overview.md#dnscrypt) and DNS Proxy along with caching DNS responses, locally logging DNS queries and can be used as a firewall too.
 
     [:octicons-home-16: Homepage](https://rethinkdns.com){ .md-button .md-button--primary }
     [:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="Privacy Policy" }
@@ -99,7 +101,7 @@ Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](ba
 
     ![DNSCloak logo](assets/img/ios/dnscloak.png){ align=right }
 
-    **DNSCloak** is an open-source iOS client supporting [DNS-over-HTTPS](basics/dns.md#dns-over-https-doh), [DNSCrypt](basics/dns.md#dnscrypt), and [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy/wiki) options such as caching DNS responses, locally logging DNS queries, and custom block lists. You can [add custom resolvers by DNS stamp](https://medium.com/privacyguides/adding-custom-dns-over-https-resolvers-to-dnscloak-20ff5845f4b5).
+    **DNSCloak** is an open-source iOS client supporting [DNS-over-HTTPS](basics/dns-overview.md#dns-over-https-doh), [DNSCrypt](basics/dns-overview.md#dnscrypt), and [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy/wiki) options such as caching DNS responses, locally logging DNS queries, and custom block lists. You can [add custom resolvers by DNS stamp](https://medium.com/privacyguides/adding-custom-dns-over-https-resolvers-to-dnscloak-20ff5845f4b5).
 
     [:octicons-repo-16: Repository](https://github.com/s-s/dnscloak){ .md-button .md-button--primary }
     [:octicons-eye-16:](https://drive.google.com/file/d/1050No_pU74CAWUS5-BwQWyO2x_aiMzWc/view){ .card-link title="Privacy Policy" }
@@ -115,9 +117,9 @@ Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](ba
 
     ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ align=right }
 
-    **dnscrypt-proxy** is a DNS proxy with support for [DNSCrypt](basics/dns.md#dnscrypt), [DNS-over-HTTPS](basics/dns.md#dns-over-https-doh), and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS).
+    **dnscrypt-proxy** is a DNS proxy with support for [DNSCrypt](basics/dns-overview.md#dnscrypt), [DNS-over-HTTPS](basics/dns-overview.md#dns-over-https-doh), and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS).
 
-    !!! warning "The anonymized DNS feature does [**not**](basics/dns.md#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic."
+    !!! warning "The anonymized DNS feature does [**not**](basics/dns-overview.md#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic."
 
     [:octicons-repo-16: Repository](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary }
     [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=Documentation}
@@ -132,7 +134,7 @@ Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](ba
 
 ## Self-hosted Solutions
 
-A self-hosted DNS solution is useful for providing filtering on controlled platforms, such as Smart TVs and other IOT devices, as no client-side software is needed.
+A self-hosted DNS solution is useful for providing filtering on controlled platforms, such as Smart TVs and other IoT devices, as no client-side software is needed.
 
 ### AdGuard Home
 
@@ -140,7 +142,7 @@ A self-hosted DNS solution is useful for providing filtering on controlled platf
 
     ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ align=right }
 
-    **AdGuard Home** is an open source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements.
+    **AdGuard Home** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements.
 
     AdGuard Home features a polished web interface to view insights and manage blocked content.
 

docs/email-clients.en.md

@@ -2,12 +2,12 @@
 title: "Email Clients"
 icon: material/email-open
 ---
-Our recommendation list contains email clients that support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](multi-factor-authentication) and prevent account theft.
+Our recommendation list contains email clients that support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) and prevent account theft.
 
 ??? Attention "Email does not provide forward secrecy"
     When using end-to-end encryption (E2EE) technology like OpenPGP, email will still have [some metadata](email.md#email-metadata-overview) that is not encrypted in the header of the email.
 
-    OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed: [How do I protect my private keys?](basics/email-security.md). Consider using a medium that provides forward secrecy:
+    OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed: [How do I protect my private keys?](basics/email-security.md) Consider using a medium that provides forward secrecy:
 
     [Real-time Communication](real-time-communication.md){ .md-button }
 
@@ -19,7 +19,7 @@ Our recommendation list contains email clients that support both [OpenPGP](encry
 
     ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ align=right }
 
-    **Thunderbird** is a free, open source, cross-platform email, newsgroup, news feed, and chat (XMPP, IRC, Twitter) client developed by the Thunderbird community, and previously by the Mozilla Foundation.
+    **Thunderbird** is a free, open-source, cross-platform email, newsgroup, news feed, and chat (XMPP, IRC, Twitter) client developed by the Thunderbird community, and previously by the Mozilla Foundation.
 
     [:octicons-home-16: Homepage](https://www.thunderbird.net){ .md-button .md-button--primary }
     [:octicons-eye-16:](https://www.mozilla.org/privacy/thunderbird){ .card-link title="Privacy Policy" }
@@ -70,7 +70,7 @@ Our recommendation list contains email clients that support both [OpenPGP](encry
 
     Canary Mail only recently released a Windows and Android client, though we don't believe they are as stable as their iOS and Mac counterparts.
 
-Canary Mail is closed source. We recommend it due to the few choices there are for email clients on iOS that support PGP E2EE.
+Canary Mail is closed-source. We recommend it due to the few choices there are for email clients on iOS that support PGP E2EE.
 
 ### FairEmail (Android)
 
@@ -78,7 +78,7 @@ Canary Mail is closed source. We recommend it due to the few choices there are f
 
     ![FairEmail logo](assets/img/email-clients/fairemail.svg){ align=right }
 
-    **FairEmail** is a minimal, open source email app, using open standards (IMAP, SMTP, OpenPGP) with a low data and battery usage.
+    **FairEmail** is a minimal, open-source email app, using open standards (IMAP, SMTP, OpenPGP) with a low data and battery usage.
 
     [:octicons-home-16: Homepage](https://email.faircode.eu){ .md-button .md-button--primary }
     [:octicons-eye-16:](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .card-link title="Privacy Policy" }
@@ -117,6 +117,8 @@ Canary Mail is closed source. We recommend it due to the few choices there are f
 
     **K-9 Mail** is an independent mail application that supports both POP3 and IMAP mailboxes, but only supports push mail for IMAP.
 
+    In the future, K-9 Mail will be the [officially branded](https://k9mail.app/2022/06/13/K-9-Mail-and-Thunderbird.html) Thunderbird client for Android.
+
     [:octicons-home-16: Homepage](https://k9mail.app){ .md-button .md-button--primary }
     [:octicons-eye-16:](https://k9mail.app/privacy){ .card-link title="Privacy Policy" }
     [:octicons-info-16:](https://docs.k9mail.app/){ .card-link title=Documentation}

docs/email.en.md

@@ -16,6 +16,54 @@ For everything else, we recommend a variety of email providers based on sustaina
 
 ## Recommended Email Providers
 
+### Proton Mail
+
+!!! recommendation
+
+    ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right }
+
+    **Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since **2013**. Proton AG is based in Genève, Switzerland. Accounts start with 500 MB storage with their free plan.
+
+    Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g. Thunderbird). Paid accounts are available starting at **€48/y** which include features like Proton Mail Bridge, additional storage, and custom domain support.
+
+    With the [transition to Proton.me](https://proton.me/news/updated-proton), paid plans have changed. Existing users before the 25 May 2022 will get to keep their [existing plan](https://proton.me/support/upgrading-to-new-proton-plan) pricing.
+
+    **Free**
+
+    [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary }
+    [:pg-tor:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title=Onion }
+    [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" }
+    [:octicons-info-16:](https://proton.me/support/mail){ .card-link title=Documentation}
+    [:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="Source Code" }
+
+??? check "Custom Domains and Aliases"
+
+    Paid Proton Mail subscribers can use their own domain with the service or a [catch-all](https://proton.me/support/catch-all) address. Proton Mail also supports [subaddressing](https://proton.me/support/creating-aliases), which is useful for people who don't want to purchase a domain.
+
+??? check "Private Payment Methods"
+
+    Proton Mail [accepts](https://proton.me/support/payment-options) Bitcoin and cash by mail in addition to standard credit/debit card and PayPal payments.
+
+??? check "Account Security"
+
+    Proton Mail supports TOTP [two factor authentication](https://proton.me/support/two-factor-authentication-2fa) only. The use of a U2F security key is not yet supported. Proton Mail is planning to implement U2F upon completion of their [Single Sign On (SSO)](https://reddit.com/comments/cheoy6/comment/feh2lw0/) code.
+
+??? check "Data Security"
+
+    Proton Mail has [zero-access encryption](https://proton.me/blog/zero-access-encryption) at rest for your emails and [calendars](https://proton.me/news/protoncalendar-security-model). Data secured with zero-access encryption is only accessible by you.
+
+    Certain information stored in [Proton Contacts](https://proton.me/support/proton-contacts), such as display names and email addresses, are not secured with zero-access encryption. Contact fields that support zero-access encryption, such as phone numbers, are indicated with a padlock icon.
+
+??? check "Email Encryption"
+
+    Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. Emails to other Proton Mail accounts are encrypted automatically, and encryption to non-Proton Mail addresses with an OpenPGP key can be enabled easily in your account settings. They also allow you to [encrypt messages to non-Proton Mail addresses](https://proton.me/support/password-protected-emails) without the need for them to sign up for a Proton Mail account or use software like OpenPGP.
+
+    Proton Mail also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily, for cross-provider E2EE.
+
+??? info "Additional Functionality"
+
+    Proton Mail offers an "Unlimited" account for €9.99/Month, which also enables access to Proton VPN in addition to providing multiple accounts, domains, aliases, and 500GB of storage.
+
 ### Mailbox.org
 
 !!! recommendation
@@ -56,58 +104,10 @@ For everything else, we recommend a variety of email providers based on sustaina
 
 ??? info "Additional Functionality"
 
-    You can access your Mailbox.org account via IMAP/SMTP using their [.onion service](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org). However, their webmail interface cannot be accessed via their .onion service, and you may experience TLS certificate errors.
+    You can access your Mailbox.org account via IMAP/SMTP using their [.onion service](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org). However, their webmail interface cannot be accessed via their .onion service and you may experience TLS certificate errors.
 
     All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3.
 
-### Proton Mail
-
-!!! recommendation
-
-    ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right }
-
-    **Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since **2013**. Proton AG is based in Genève, Switzerland. Accounts start with 500 MB storage with their free plan.
-
-    Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g. Thunderbird). Paid accounts are available starting at **€48/y** which include features like Proton Mail Bridge, additional storage, and custom domain support.
-
-    With the [transition to Proton.me](https://proton.me/news/updated-proton), paid plans have changed. Existing users before the 25 May 2022 will get to keep their [existing plan](https://proton.me/support/upgrading-to-new-proton-plan) pricing.
-
-    **Free**
-
-    [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary }
-    [:pg-tor:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title=Onion }
-    [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" }
-    [:octicons-info-16:](https://proton.me/support/mail){ .card-link title=Documentation}
-    [:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="Source Code" }
-
-??? check "Custom Domains and Aliases"
-
-    Paid Proton Mail subscribers can use their own domain with the service or a [catch-all](https://proton.me/support/catch-all) address. Proton Mail also supports [subaddressing](https://proton.me/support/creating-aliases), which is useful for people who don't want to purchase a domain.
-
-??? check "Private Payment Methods"
-
-    Proton Mail accepts Bitcoin in addition to accepting credit/debit cards and PayPal.
-
-??? check "Account Security"
-
-    Proton Mail supports TOTP [two factor authentication](https://proton.me/support/two-factor-authentication-2fa) only. The use of a U2F security key is not yet supported. Proton Mail is planning to implement U2F upon completion of their [Single Sign On (SSO)](https://reddit.com/comments/cheoy6/comment/feh2lw0/) code.
-
-??? check "Data Security"
-
-    Proton Mail has [zero-access encryption](https://proton.me/blog/zero-access-encryption) at rest for your emails and [calendars](https://proton.me/news/protoncalendar-security-model). Data secured with zero-access encryption is only accessible by you.
-
-    Certain information stored in [Proton Contacts](https://proton.me/support/proton-contacts), such as display names and email addresses, are not secured with zero-access encryption. Contact fields that support zero-access encryption, such as phone numbers, are indicated with a padlock icon.
-
-??? check "Email Encryption"
-
-    Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. Emails to other Proton Mail accounts are encrypted automatically, and encryption to non-Proton Mail addresses with an OpenPGP key can be enabled easily in your account settings. They also allow you to [encrypt messages to non-Proton Mail addresses](https://proton.me/support/password-protected-emails) without the need for them to sign up for a Proton Mail account or use software like OpenPGP.
-
-    Proton Mail also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily, for cross-provider E2EE.
-
-??? info "Additional Functionality"
-
-    Proton Mail offers an "Unlimited" account for €9.99/Month, which also enables access to Proton VPN in addition to providing multiple accounts, domains, aliases, and 500GB of storage.
-
 ### StartMail
 
 !!! recommendation
@@ -119,7 +119,7 @@ For everything else, we recommend a variety of email providers based on sustaina
 
     **USD $59.95/year**
 
-    [:octicons-home-16: Homepage](https://startmail.com/){ .md-button .md-button--primary }
+    [:octicons-home-16: Homepage](https://www.startmail.com/){ .md-button .md-button--primary }
     [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="Privacy Policy" }
     [:octicons-info-16:](https://support.startmail.com){ .card-link title=Documentation}
 
@@ -153,8 +153,7 @@ For everything else, we recommend a variety of email providers based on sustaina
 
 !!! recommendation
 
-    ![Tutanota logo](assets/img/email/tutanota.svg#only-light){ align=right }
-    ![Tutanota logo](assets/img/email/tutanota-dark.svg#only-dark){ align=right }
+    ![Tutanota logo](assets/img/email/tutanota.svg){ align=right }
 
     **[Tutanota.com](https://tutanota.com)** is an email service with a focus on security and privacy through the use of encryption. Tutanota has been in operation since **2011** and is based in Hanover, Germany. Accounts start with 1GB storage with their free plan.
 
@@ -213,13 +212,13 @@ Using a dedicated email aliasing service also has a number of benefits over a ca
 
 They also have a number of benefits over "temporary email" services:
 
-- Aliases are permanent, and can be turned on again if you need to receive something like a password reset.
+- Aliases are permanent and can be turned on again if you need to receive something like a password reset.
 - Emails are sent to your trusted mailbox rather than stored by the alias provider.
 - Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, aliases are private to you.
 
 Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign.
 
-Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption, which reduces the number of parties you need to trust from 2 to 1 by encrypting incoming emails before they are delivered to your final mailbox provider.
+Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption, which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider.
 
 ### AnonAddy
 
@@ -241,14 +240,14 @@ Using an aliasing service requires trusting both your email provider and your al
         - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app)
         - [:fontawesome-brands-android: Android](https://anonaddy.com/faq/#is-there-an-android-app)
 
-The number of shared aliases (which end in a shared domain like @anonaddy.me) that you can create is limited to 20 on AnonAddy's free plan and 50 on their $12/month plan. You can create unlimited standard aliases (which end in a domain like @[username].anonaddy.com or a custom domain on paid plans), however, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. Unlimited shared aliases are available for $36/year.
+The number of shared aliases (which end in a shared domain like @anonaddy.me) that you can create is limited to 20 on AnonAddy's free plan and 50 on their $12/year plan. You can create unlimited standard aliases (which end in a domain like @[username].anonaddy.com or a custom domain on paid plans), however, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. Unlimited shared aliases are available for $36/year.
 
 Notable free features:
 
 - [x] 20 Shared Aliases
 - [x] Unlimited Standard Aliases
 - [ ] No Outgoing Replies
-- [x] 2 Receipent Mailboxes
+- [x] 2 Recipient Mailboxes
 - [x] Automatic PGP Encryption
 
 ### SimpleLogin
@@ -273,19 +272,21 @@ Notable free features:
         - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android)
         - [:pg-f-droid: F-Droid](https://f-droid.org/en/packages/io.simplelogin.android.fdroid/)
 
-SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing.
+SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit/) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf).
+
+You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Unlimited, Business or Visionary Plan, you will have SimpleLogin Premium for free.
 
 Notable free features:
 
 - [x] 15 Shared Aliases
 - [x] Unlimited Replies
-- [x] 1 Recepient Mailbox
+- [x] 1 Recipient Mailbox
 
 *[Automatic PGP Encryption]: Allows you to encrypt non-encrypted incoming emails before they are forwarded to your mailbox, making sure your primary mailbox provider never sees unencrypted email content.
 
 ## Self-Hosting Email
 
-Advanced system administrators may consider setting up their own email server. Mailservers require attention and continuous maintenance in order to keep things secure and mail delivery reliable.
+Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable.
 
 ### Combined software solutions
 
@@ -293,7 +294,7 @@ Advanced system administrators may consider setting up their own email server. M
 
     ![Mailcow logo](assets/img/email/mailcow.svg){ align=right }
 
-    **Mailcow** is a more advanced mail server perfect for those with a bit more Linux experience. It has everything you need in a Docker container: A mailserver with DKIM support, antivirus and spam monitoring, webmail and ActiveSync with SOGo, and web-based administration with 2FA support.
+    **Mailcow** is a more advanced mail server perfect for those with a bit more Linux experience. It has everything you need in a Docker container: A mail server with DKIM support, antivirus and spam monitoring, webmail and ActiveSync with SOGo, and web-based administration with 2FA support.
 
     [:octicons-home-16: Homepage](https://mailcow.email){ .md-button .md-button--primary }
     [:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=Documentation}
@@ -310,7 +311,7 @@ Advanced system administrators may consider setting up their own email server. M
     [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=Documentation}
     [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Source Code" }
 
-For a more manual approach we've picked out these two articles.
+For a more manual approach we've picked out these two articles:
 
 - [Setting up a mail server with OpenSMTPD, Dovecot and Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019)
 - [How To Run Your Own Mail Server](https://www.c0ffee.net/blog/mail-server-guide/) (August 2017)
@@ -326,12 +327,12 @@ We regard these features as important in order to provide a safe and optimal ser
 **Minimum to Qualify:**
 
 - Encrypts email account data at rest with zero-access encryption.
-- Integrated webmail E2EE/PGP encryption provided as a convenience.
 
 **Best Case:**
 
-- Encrypts all account data (Contacts, Calendars etc) at rest with zero-access encryption.
-- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy etc.
+- Encrypts all account data (Contacts, Calendars, etc) at rest with zero-access encryption.
+- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy.
+- Integrated webmail E2EE/PGP encryption provided as a convenience.
 - Support for [WKD](https://wiki.gnupg.org/WKD) to allow improved discovery of public OpenPGP keys via HTTP.
     GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com`
 - Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP.
@@ -347,7 +348,7 @@ We prefer our recommended providers to collect as little data as possible.
 **Minimum to Qualify:**
 
 - Protect sender's IP address. Filter it from showing in the `Received` header field.
-- Don't require personally identifiable information (PII) besides username and password.
+- Don't require personally identifiable information (PII) besides a username and a password.
 - Privacy policy that meets the requirements defined by the GDPR
 - Must not be hosted in the US due to [ECPA](https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act#Criticism) which has [yet to be reformed](https://epic.org/ecpa/).
 
@@ -362,7 +363,7 @@ Email servers deal with a lot of very sensitive data. We expect that providers w
 **Minimum to Qualify:**
 
 - Protection of webmail with 2FA, such as TOTP.
-- Encryption at rest, (e.g. [dm-crypt](https://en.wikipedia.org/wiki/dm-crypt)) this protects the contents of the servers in case of unlawful seizure.
+- Zero access encryption, builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server.
 - [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support.
 - No [TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) errors/vulnerabilities when being profiled by tools such as [Hardenize](https://www.hardenize.com), [testssl.sh](https://testssl.sh) or [Qualys SSL Labs](https://www.ssllabs.com/ssltest), this includes certificate related errors, poor or weak ciphers suites, weak DH parameters such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)).
 - A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy.
@@ -377,8 +378,7 @@ Email servers deal with a lot of very sensitive data. We expect that providers w
 
 **Best Case:**
 
-- Support for hardware authentication, ie U2F and [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F and WebAuthn are more secure as they use a private key stored on a client-side hardware device to authenticate people, as opposed to a shared secret that is stored on the web server and on the client side when using TOTP. Furthermore, U2F and WebAuthn are more resistant to phishing as their authentication response is based on the authenticated [domain name](https://en.wikipedia.org/wiki/Domain_name).
-- Zero access encryption, builds on encryption at rest. The difference being the provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server.
+- Support for hardware authentication, i.e. U2F and [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F and WebAuthn are more secure as they use a private key stored on a client-side hardware device to authenticate people, as opposed to a shared secret that is stored on the web server and on the client side when using TOTP. Furthermore, U2F and WebAuthn are more resistant to phishing as their authentication response is based on the authenticated [domain name](https://en.wikipedia.org/wiki/Domain_name).
 - [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support.
 - Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), this is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617).
 - Bug-bounty programs and/or a coordinated vulnerability-disclosure process.
@@ -405,14 +405,14 @@ With the email providers we recommend we like to see responsible marketing.
 
 **Minimum to Qualify:**
 
-- Must self-host analytics (no Google Analytics etc). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for those who wish to opt-out.
+- Must self-host analytics (no Google Analytics, Adobe Analytics, etc). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for those who wish to opt-out.
 
 Must not have any marketing which is irresponsible:
 
-- Claims of "unbreakable encryption". Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it.
+- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it.
 - Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.:
 
-- Reusing personal information e.g. (email accounts, unique pseudonyms etc) that they accessed without anonymity software (Tor, VPN etc)
+- Reusing personal information e.g. (email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc)
 - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint)
 
 **Best Case:**

docs/encryption.en.md

@@ -2,7 +2,7 @@
 title: "Encryption Software"
 icon: material/file-lock
 ---
-Encryption of data is the only way to control who can access it. If you are currently not using encryption software for your hard disk, emails, or files, you should pick an option here.
+Encryption of data is the only way to control who can access it. If you are currently not using encryption software for your hard disk, emails or files, you should pick an option here.
 
 ## Multi-platform
 
@@ -32,9 +32,9 @@ The options listed here are multi-platform and great for creating encrypted back
         - [:fontawesome-brands-android: Android](https://cryptomator.org/android)
         - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163)
 
-Cryptomator utilizes AES-256 encryption to encrypt both files and filenames. Cryptomator cannot encrypt some metadata such as access, modification, and creation timestamps, nor the number and size of files and folders.
+Cryptomator utilizes AES-256 encryption to encrypt both files and filenames. Cryptomator cannot encrypt metadata such as access, modification, and creation timestamps, nor the number and size of files and folders.
 
-Some Cryptomator cryptographic libraries have been [audited](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44) by Cure53. The scope of the audited libraries include: [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) and [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). The audit did not extend to [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), which is a library used by Cryptomator for iOS.
+Some Cryptomator cryptographic libraries have been [audited](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44) by Cure53. The scope of the audited libraries includes: [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) and [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). The audit did not extend to [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), which is a library used by Cryptomator for iOS.
 
 Cryptomator's documentation details its intended [security target](https://docs.cryptomator.org/en/latest/security/security-target/), [security architecture](https://docs.cryptomator.org/en/latest/security/architecture/), and [best practices](https://docs.cryptomator.org/en/latest/security/best-practices/) for use in further detail.
 
@@ -80,7 +80,7 @@ VeraCrypt is a fork of the discontinued TrueCrypt project. According to its deve
 
 When encrypting with VeraCrypt, you have the option to select from different [hash functions](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). We suggest you **only** select [SHA-512](https://en.wikipedia.org/wiki/SHA-512) and stick to the [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) block cipher.
 
-Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits) and VeraCrypt has also been [audited seperately](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit).
+Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits), and VeraCrypt has also been [audited separately](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit).
 
 ## OS Full Disk Encryption
 
@@ -96,13 +96,13 @@ Modern operating systems include [FDE](https://en.wikipedia.org/wiki/Disk_encryp
 
     [:octicons-info-16:](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=Documentation}
 
-BitLocker is [only supported](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) on Pro, Enterprise, and Education editions of Windows. It can be enabled on Home editions provided that they meet the prerequisites.
+BitLocker is [only supported](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) on Pro, Enterprise and Education editions of Windows. It can be enabled on Home editions provided that they meet the prerequisites.
 
 ??? example "Enabling BitLocker on Windows Home"
 
-    To enable BitLocker on "Home" editions of Windows, you must partitions formatted with formatted with a [GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table) and have a dedicated TPM (v1.2, 2.0+) module.
+    To enable BitLocker on "Home" editions of Windows, you must have partitions formatted with a [GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table) and have a dedicated TPM (v1.2, 2.0+) module.
 
-    1. Open Windows [PowerShell](https://en.wikipedia.org/wiki/PowerShell). Start "PowerShell"
+    1. Open Windows [PowerShell](https://en.wikipedia.org/wiki/PowerShell).
 
     2. Check to see partition table format:
         ```
@@ -206,7 +206,7 @@ Tools with command-line interfaces are useful for integrating [shell scripts](ht
 
     ![Kryptor logo](assets/img/encryption-software/kryptor.png){ align=right }
 
-    **Kryptor** is a free and open source file encryption and signing tool that makes use of modern and secure cryptographic algorithms. It aims to be a better version of [age](https://github.com/FiloSottile/age) and [Minisign](https://jedisct1.github.io/minisign/) to provide a simple, easier alternative to GPG.
+    **Kryptor** is a free and open-source file encryption and signing tool that makes use of modern and secure cryptographic algorithms. It aims to be a better version of [age](https://github.com/FiloSottile/age) and [Minisign](https://jedisct1.github.io/minisign/) to provide a simple, easier alternative to GPG.
 
     [:octicons-home-16: Homepage](https://www.kryptor.co.uk){ .md-button .md-button--primary }
     [:octicons-eye-16:](https://www.kryptor.co.uk/features#privacy){ .card-link title="Privacy Policy" }

docs/file-sharing.en.md

@@ -6,23 +6,19 @@ Discover how to privately share your files between your devices, with your frien
 
 ## File Sharing
 
-### Magic Wormhole
+### Bitwarden Send
 
 !!! recommendation
 
-    ![Magic Wormhole logo](assets/img/file-sharing-sync/magic_wormhole.png){ align=right }
+    ![Bitwarden logo](assets/img/file-sharing-sync/bitwarden.svg){ align=right }
 
-    **Magic Wormhole** is a package that provides a library and a command-line tool named wormhole, which makes it possible to get arbitrary-sized files and directories (or short pieces of text) from one computer to another. Their motto: "Get things from one computer to another, safely.
+    **Bitwarden Send** is a tool provided by the [Bitwarden](passwords.md#bitwarden) password manager. It allows you to share text and files securely with [end-to-end encryption](https://bitwarden.com/help/send-encryption). A [password](https://bitwarden.com/help/send-privacy/#send-passwords) can be required along with the send link. Bitwarden Send also features [automatic deletion](https://bitwarden.com/help/send-lifespan).
 
-    [:octicons-repo-16: Repository](https://github.com/magic-wormhole/magic-wormhole){ .md-button .md-button--primary }
-    [:octicons-info-16:](https://magic-wormhole.readthedocs.io/){ .card-link title=Documentation}
-    [:octicons-code-16:](https://github.com/magic-wormhole/magic-wormhole){ .card-link title="Source Code" }
+    You need the [Premium Plan](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans) to be able to share files. Free plan only allows text sharing.
 
-    ??? downloads
-
-        - [:fontawesome-brands-windows: Windows](https://magic-wormhole.readthedocs.io/en/latest/welcome.html#installation)
-        - [:fontawesome-brands-apple: macOS](https://magic-wormhole.readthedocs.io/en/latest/welcome.html#macos-os-x)
-        - [:fontawesome-brands-linux: Linux](https://magic-wormhole.readthedocs.io/en/latest/welcome.html#installation)
+    [:octicons-home-16: Homepage](https://bitwarden.com/products/send/){ .md-button .md-button--primary }
+    [:octicons-info-16:](https://bitwarden.com/help/about-send/){ .card-link title=Documentation}
+    [:octicons-code-16:](https://github.com/bitwarden/clients){ .card-link title="Source Code" }
 
 ### OnionShare
 
@@ -49,7 +45,7 @@ Discover how to privately share your files between your devices, with your frien
 
     ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ align=right }
 
-    **FreedomBox** is an operating system designed to be run on a [single-board computer (SBC)](https://en.wikipedia.org/wiki/Single-board_computer). The purpose is to make it easy to set up server applications that you might want to selfhost.
+    **FreedomBox** is an operating system designed to be run on a [single-board computer (SBC)](https://en.wikipedia.org/wiki/Single-board_computer). The purpose is to make it easy to set up server applications that you might want to self-host.
 
     [:octicons-home-16: Homepage](https://freedombox.org){ .md-button .md-button--primary }
     [:octicons-info-16:](https://wiki.debian.org/FreedomBox/Manual){ .card-link title=Documentation}
@@ -58,26 +54,6 @@ Discover how to privately share your files between your devices, with your frien
 
 ## File Sync
 
-### git-annex
-
-!!! recommendation
-
-    ![git-annex logo](assets/img/file-sharing-sync/gitannex.svg){ align=right }
-
-    **git-annex** allows managing files with git, without checking the file contents into git. While that may seem paradoxical, it is useful when dealing with files larger than git can currently easily handle, whether due to limitations in memory, time, or disk space.
-
-    [:octicons-home-16: Homepage](https://git-annex.branchable.com){ .md-button .md-button--primary }
-    [:octicons-eye-16:](https://git-annex.branchable.com/privacy){ .card-link title="Privacy Policy" }
-    [:octicons-info-16:](https://git-annex.branchable.com/walkthrough/){ .card-link title=Documentation}
-    [:octicons-code-16:](https://git-annex.branchable.com/install/fromsource/){ .card-link title="Source Code" }
-    [:octicons-heart-16:](https://git-annex.branchable.com/thanks/){ .card-link title=Contribute }
-
-    ??? downloads
-
-        - [:fontawesome-brands-windows: Windows](https://git-annex.branchable.com/install/Windows)
-        - [:fontawesome-brands-apple: macOS](https://git-annex.branchable.com/install/OSX)
-        - [:fontawesome-brands-linux: Linux](https://git-annex.branchable.com/install)
-
 ### Syncthing
 
 !!! recommendation

docs/index.en.md

@@ -14,7 +14,7 @@ hide:
 
 Much like the right to interracial marriage, woman's suffrage, freedom of speech, and many others, we didn't always have the right to privacy. In several dictatorships, many still don't. Generations before ours fought for our right to privacy. ==Privacy is a human right inherent to all of us== that we are entitled to without discrimination.
 
-You shouldn't confuse privacy with secrecy. We know what happens in the bathroom, but you still close the door. That's because you want privacy, not secrecy. **Everyone** has something to hide, privacy is something that makes you human.
+You shouldn't confuse privacy with secrecy. We know what happens in the bathroom, but you still close the door. That's because you want privacy, not secrecy. **Everyone** has something to protect. Privacy is something that makes you human.
 
 [:material-target-account: Common Internet Threats](basics/common-threats.md){ .md-button .md-button--primary }
 </div>
@@ -24,7 +24,7 @@ You shouldn't confuse privacy with secrecy. We know what happens in the bathroom
 
 ##### First, you need to make a plan
 
-Trying to protect all your data from everyone all the time is impractical, expensive, and exhausting. But don't worry! Security is a process, and by thinking ahead you can put together a plan that's right for you. Security isn't just about the tools you use or the software you download. Rather, it begins with understanding the unique threats you face, and how you can counter them.
+Trying to protect all your data from everyone all the time is impractical, expensive, and exhausting. But don't worry! Security is a process, and by thinking ahead you can put together a plan that's right for you. Security isn't just about the tools you use or the software you download. Rather, it begins by understanding the unique threats you face, and how you can counter them.
 
 ==This process of identifying threats and defining countermeasures is called **threat modeling**==, and it forms the basis of every good security and privacy plan.
 

docs/linux-desktop.en.md

@@ -54,7 +54,7 @@ Tumbleweed follows a rolling release model where each update is released as a sn
 
 Arch Linux has a rolling release cycle. There is no fixed release schedule and packages are updated very frequently.
 
-Being a DIY distribution, you are [expected to set up and maintain](#arch-based-distributions) your system on your own. Arch has an [official installer](https://wiki.archlinux.org/title/Archinstall) to make the installation process a little easier.
+Being a DIY distribution, you are [expected to set up and maintain](linux-desktop/overview.md#arch-based-distributions) your system on your own. Arch has an [official installer](https://wiki.archlinux.org/title/Archinstall) to make the installation process a little easier.
 
 A large portion of [Arch Linux’s packages](https://reproducible.archlinux.org) are [reproducible](https://reproducible-builds.org).
 
@@ -116,13 +116,13 @@ Nix is a source-based package manager; if there’s no pre-built available in th
     [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=Documentation}
     [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=Contribute }
 
-Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway”. All communications from the Workstation has to go through the Tor gateway, and will be routed through the Tor Network.
+Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. This means that even if the Workstation is compromised by malware of some kind, the true IP address remains hidden.
 
 Some of its features include Tor Stream Isolation, [keystroke anonymization](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [encrypted swap](https://github.com/Whonix/swap-file-creator), and a hardened memory allocator.
 
 Future versions of Whonix will likely include [full system AppArmor policies](https://github.com/Whonix/apparmor-profile-everything) and a [sandbox app launcher](https://www.whonix.org/wiki/Sandbox-app-launcher) to fully confine all processes on the system.
 
-Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers).
+Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers), Qubes-Whonix has various [disadvantages](https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581) when compared to other hypervisors.
 
 ### Tails
 
@@ -140,4 +140,6 @@ Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qube
 
 By design, Tails is meant to completely reset itself after each reboot. Encrypted [persistent storage](https://tails.boum.org/doc/first_steps/persistence/index.en.html) can be configured to store some data.
 
+Tails is great for counter forensics due to amnesia (meaning nothing is written to the disk); however, it is not a hardened distribution like Whonix. It lacks many anonymity and security features that Whonix has and gets updated much less often (only once every six weeks). A Tails system that is compromised by malware may potentially bypass the transparent proxy allowing for the user to be deanonymized.
+
 --8<-- "includes/abbreviations.en.md"

docs/linux-desktop/hardening.en.md

@@ -10,9 +10,14 @@ A [firewall](https://en.wikipedia.org/wiki/Firewall_(computing)) may be used to
 
 Red Hat distributions (such as Fedora) are typically configured through [firewalld](https://en.wikipedia.org/wiki/Firewalld). Red Hat has plenty of [documentation](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/using-and-configuring-firewalld_configuring-and-managing-networking) regarding this topic. There is also the [Uncomplicated Firewall](https://en.wikipedia.org/wiki/Uncomplicated_Firewall) which can be used as an alternative.
 
-Consider blocking all ports which are **not** [well known](https://en.wikipedia.org/wiki/Well-known_port#Well-known_ports) or “privileged ports”. That is, ports from 1025 up to 65535. Block both [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) and [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) after the operating system is installed.
+You could also set your default firewall zone to drop packets. If you're on a Redhat based distribution, such as Fedora this can be done with the following commands:
 
-If you use Fedora, consider removing the whitelist for for [smb](https://en.wikipedia.org/wiki/Server_Message_Block)-client and [mdns](https://en.wikipedia.org/wiki/Multicast_DNS) services if you do not use them.
+!!! Example
+    ```
+    firewall-cmd --set-default-zone=drop;
+    firewall-cmd --add-protocol=ipv6-icmp --permanent;
+    firewall-cmd --add-service=dhcpv6-client --permanent;
+    ```
 
 All these firewalls use the [Netfilter](https://en.wikipedia.org/wiki/Netfilter) framework and therefore cannot protect against malicious programs running on the system. A malicious program could insert its own rules.
 
@@ -22,13 +27,14 @@ If you are using non-classic [Snap](https://en.wikipedia.org/wiki/Snap_(package_
 
 ## Kernel hardening
 
-There are some additional kernel hardening options such as configuring [sysctl](https://en.wikipedia.org/wiki/Sysctl#Linux) keys and [kernel command-line parameters](https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html) which are described in the following pages. We don’t recommend you change these options unless you learn about what they do.
+Kernel hardening options such as configuring [sysctl](https://en.wikipedia.org/wiki/Sysctl#Linux) keys and [kernel command-line parameters](https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html) can help harden your system. We suggest looking at the following [sysctl settings](https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl) and [boot parameters](https://madaidans-insecurities.github.io/guides/linux-hardening.html#boot-parameters).
 
-- [Recommended sysctl settings](https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl)
-- [Recommended boot parameters](https://madaidans-insecurities.github.io/guides/linux-hardening.html#boot-parameters)
-- [Additional recommendations to reduce the kernel's attack surface](https://madaidans-insecurities.github.io/guides/linux-hardening.html#kernel-attack-surface-reduction)
+We **strongly** recommend that you learn what these options do before applying them. There are also some methods of [kernel attack surface reduction](https://madaidans-insecurities.github.io/guides/linux-hardening.html#kernel-attack-surface-reduction) and [access restrictions to sysfs](https://madaidans-insecurities.github.io/guides/linux-hardening.html#restricting-sysfs) that can further improve security.
 
-Do **not** disable unprivileged user namespaces if you use software that relies on it, like: Podman, Docker and LXC containers. The option will prevent this software from working.
+!!! Note
+    Unprivileged [user namespaces](https://madaidans-insecurities.github.io/linux.html#kernel) can be disabled, due to it being responsible for various privileged escalation vulnerabilities. Some software such as Docker, Podman, and LXC require unprivileged user namespaces to function. If you use these tools you should not disable `kernel.unprivileged_userns_clone`.
+
+    Disabling access to `/sys` without a proper whitelist will lead to various applications breaking. This will unfortunately be an extremely tedious process for most users. Kicksecure, and by extension, Whonix, has an experimental [hide hardware info service](https://github.com/Kicksecure/security-misc/blob/master/lib/systemd/system/hide-hardware-info.service) which does just this. From our testing, these work perfectly fine on minimal Kicksecure installations and both Qubes-Whonix Workstation and Gateway. If you are using Kicksecure or Whonix, we recommend that you follow the [Kicksecure Wiki](https://www.kicksecure.com/wiki/Security-misc) to enable hide hardware info service.
 
 ## Linux-Hardened
 
@@ -36,13 +42,15 @@ Some distributions like Arch Linux have the [linux-hardened](https://github.com/
 
 ## Linux Kernel Runtime Guard (LKRG)
 
-LKRG is a kernel module that performs runtime integrity check on the kernel to help detect detect exploits against the kernel. LKRG works in a *post*-detect fashion, attempting to respond to unauthorized modifications to the running Linux kernel. While it is [bypassable by design](https://lkrg.org/), it does stop off-the-shelf malware that does not specifically target LKRG itself. This may make exploits harder to develop and execute on vulnerable systems.
+LKRG is a kernel module that performs runtime integrity check on the kernel to help detect exploits against the kernel. LKRG works in a *post*-detect fashion, attempting to respond to unauthorized modifications to the running Linux kernel. While it is [bypassable by design](https://lkrg.org/), it does stop off-the-shelf malware that does not specifically target LKRG itself. This may make exploits harder to develop and execute on vulnerable systems.
 
-If you can get LKRG and maintain module updates it provides a worthwhile improvement to security. Debian based distributions can get the LKRG DKMS from KickSecure's secure repository and the [KickSecure documentation](https://www.kicksecure.com/wiki/Linux_Kernel_Runtime_Guard_LKRG) has instructions on how this can be achieved. There is no LKRG package for Fedora yet, however the Qubes OS project has a COPR repository which [may become](https://github.com/QubesOS/qubes-issues/issues/5461) part of the main distribution in the future. Archlinux based systems provide LKRG DKMS modules via an [AUR package](https://aur.archlinux.org/packages/lkrg-dkms).
+If you can get LKRG and maintain module updates, it provides a worthwhile improvement to security. Debian based distributions can get the LKRG DKMS package from KickSecure's secure repository and the [KickSecure documentation](https://www.kicksecure.com/wiki/Linux_Kernel_Runtime_Guard_LKRG) has instructions.
+
+On Fedora, [fepitre](https://github.com/fepitre), a QubesOS developer has a [COPR repository](https://copr.fedorainfracloud.org/coprs/fepitre/lkrg/) where you can install it. Arch based systems can obtain the LKRG DKMS package via an [AUR package](https://aur.archlinux.org/packages/lkrg-dkms).
 
 ## GRSecurity
 
-GRSecurity is a set of kernel patches that attempt to improve security of the Linux kernel.  It requires [payment to access](https://github.com/QubesOS/qubes-issues/issues/5461) the code.
+GRSecurity is a set of kernel patches that attempt to improve security of the Linux kernel. It requires [payment to access](https://grsecurity.net/purchase) the code and is worth using if you have a subscription.
 
 ## Simultaneous multithreading (SMT)
 
@@ -66,9 +74,25 @@ These flags could also be applied to `/home` and `/root` as well, however, `noex
 
 If you use [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/), `/var/log/journal` must not have any of those options. If you are on Arch Linux, do not apply `noexec` to `/var/tmp`.
 
+## Disabling SUID
+
+SUID allows a user to execute an application as the owner of that application, which in many cases, would be the `root` user. Vulnerable SUID executables could lead to privilege escalation vulnerabilities.
+
+It is desirable to remove SUID from as many binaries as possible; however, this takes substantial effort and trial and error on the user's part, as some applications require SUID to function.
+
+Kicksecure, and by extension, Whonix has an experimental [permission hardening service](https://github.com/Kicksecure/security-misc/blob/master/lib/systemd/system/permission-hardening.service) and [application whitelist](https://github.com/Kicksecure/security-misc/tree/master/etc/permission-hardening.d) to automate SUID removal from most binaries and libraries on the system. From our testing, these work perfectly fine on a minimal Kicksecure installation and both Qubes-Whonix Workstation and Gateway.
+
+If you are using Kicksecure or Whonix, we recommend that you follow the [Kicksecure Wiki](https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener) to enable the permission hardener.
+
+Users of other distributions can adapt the permission hardener to their own system based on the source code linked above.
+
+## Secure Time Synchronization
+
+Most Linux distributions by default (especially Arch based distributions with `systemd-timesyncd`) use un-encrypted NTP for time synchronization. Securing NTP can be achieved by [configuring NTS with chronyd](https://fedoramagazine.org/secure-ntp-with-nts/) or by using [swdate](https://github.com/Kicksecure/sdwdate) on Debian based distributions.
+
 ## Linux Pluggable Authentication Modules (PAM)
 
-There is also further hardening to [PAM](https://en.wikipedia.org/wiki/Linux_PAM) to secure authentication to your system. [This guide](https://madaidans-insecurities.github.io/guides/linux-hardening.html#pam) has some tips on this.
+The security of [PAM](https://en.wikipedia.org/wiki/Linux_PAM) can be [hardened](https://madaidans-insecurities.github.io/guides/linux-hardening.html#pam) to allow secure authentication to your system.
 
 On Red Hat distributions you can use [`authselect`](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_authentication_and_authorization_in_rhel/configuring-user-authentication-using-authselect_configuring-authentication-and-authorization-in-rhel) to configure this e.g.:
 
@@ -80,32 +104,32 @@ On systems where [`pam_faillock`](https://man7.org/linux/man-pages/man8/pam_tall
 
 ## USB port protection
 
-To better protect your [USB](https://en.wikipedia.org/wiki/USB) ports from attacks such as [BadUSB](https://en.wikipedia.org/wiki/BadUSB) we recommend [USBGuard](https://github.com/USBGuard/usbguard). USBGuard has [documentation](https://github.com/USBGuard/usbguard#documentation) as does the [Arch Wiki](https://wiki.archlinux.org/title/USBGuard).
+To better protect your [USB](https://en.wikipedia.org/wiki/USB) ports from attacks such as [BadUSB](https://en.wikipedia.org/wiki/BadUSB), we recommend [USBGuard](https://github.com/USBGuard/usbguard). USBGuard has [documentation](https://github.com/USBGuard/usbguard#documentation) as does the [Arch Wiki](https://wiki.archlinux.org/title/USBGuard).
 
 Another alternative option if you’re using the [linux-hardened](#linux-hardened) is the [`deny_new_usb`](https://github.com/GrapheneOS/linux-hardened/commit/96dc427ab60d28129b36362e1577b6673b0ba5c4) sysctl. See [Preventing USB Attacks with `linux-hardened`](https://blog.lizzie.io/preventing-usb-attacks-with-linux-hardened.html).
 
 ## Secure Boot
 
-[Secure Boot](https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#Secure_Boot) can be used to secure the boot process by preventing the loading of [unsigned](https://en.wikipedia.org/wiki/Public-key_cryptography) [UEFI](https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface) drivers or [boot loaders](https://en.wikipedia.org/wiki/Bootloader). Some guidance for this is provided in [this physical security guide](https://madaidans-insecurities.github.io/guides/linux-hardening.html#physical-security) and [this verified boot guide](https://madaidans-insecurities.github.io/guides/linux-hardening.html#verified-boot).
+[Secure Boot](https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#Secure_Boot) can be used to secure the boot process by preventing the loading of [unsigned](https://en.wikipedia.org/wiki/Public-key_cryptography) [UEFI](https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface) drivers or [boot loaders](https://en.wikipedia.org/wiki/Bootloader).
 
-For further resources on Secure Boot we suggest taking a look at the following for instructional advice:
+One of the problems with Secure Boot, particularly on Linux is, that only the [chainloader](https://en.wikipedia.org/wiki/Chain_loading#Chain_loading_in_boot_manager_programs) (shim), the [boot loader](https://en.wikipedia.org/wiki/Bootloader) (GRUB), and the [kernel](https://en.wikipedia.org/wiki/Kernel_(operating_system)) are verified and that's where verification stops. The [initramfs](https://en.wikipedia.org/wiki/Initial_ramdisk) is often left unverified, unencrypted, and open up the window for an [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attack. The firmware on most devices is also configured to trust Microsoft's keys for Windows and its partners, leading to a large attacks surface.
 
-- The Archwiki’s [Secure Boot](https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot) article. There are two main methods, the first is to use a [shim](https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#shim), the second more complete way is to [use your own keys](https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Using_your_own_keys).
+To eliminate the need to trust Microsoft's keys, follow the "Using your own keys" section on the [Arch Wiki](https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot). The important thing that needs to be done here is to replace the OEM's key with your own Platform Key.
 
-For background of how Secure Boot works on Linux:
+There are several ways to work around the unverified initramfs:
 
-- [The Strange State of Authenticated Boot and Disk Encryption on Generic Linux Distributions](https://0pointer.net/blog/authenticated-boot-and-disk-encryption-on-linux.html)
-- [Rod Smith’s Managing EFI Boot Loaders for Linux](https://www.rodsbooks.com/efi-bootloaders/)
-- [Dealing with Secure Boot](https://www.rodsbooks.com/efi-bootloaders/secureboot.html)
-- [Controlling Secure Boot](https://www.rodsbooks.com/efi-bootloaders/controlling-sb.html)
+The first way is to [encrypt the /boot partition](https://wiki.archlinux.org/title/GRUB#Encrypted_/boot). If you are on Fedora Workstation (not Silverblue), you can follow [this guide](https://mutschler.eu/linux/install-guides/fedora-btrfs-33/) to convert the existing installation to encrypted `/boot`. openSUSE comes with this that by default.
 
-One of the problems with Secure Boot particularly on Linux is that only the [chainloader](https://en.wikipedia.org/wiki/Chain_loading#Chain_loading_in_boot_manager_programs) (shim), the [boot loader](https://en.wikipedia.org/wiki/Bootloader) (GRUB), and the [kernel](https://en.wikipedia.org/wiki/Kernel_(operating_system)) are verified and that’s where verification stops. The [initramfs](https://en.wikipedia.org/wiki/Initial_ramdisk) is often left unverified, unencrypted, and open up the window for an [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attack. There are a few things that can be done to reduce risk such as:
+Encrypting `/boot` however have its own issues, one being that [GRUB](https://en.wikipedia.org/wiki/GNU_GRUB) only supports [LUKS1](https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup) and not the newer default LUKS2 scheme. As the bootloader runs in [protected mode](https://en.wikipedia.org/wiki/Protected_mode) and the encryption module lacks [SSE acceleration](https://en.wikipedia.org/wiki/Streaming_SIMD_Extensions) so the boot process will take minutes to complete. Another problem with this is that you have to type the encryption password twice, which could be solved by following the [openSUSE Wiki](https://en.opensuse.org/SDB:Encrypted_root_file_system#Avoiding_to_type_the_passphrase_twice).
 
-- Creating an [EFI Boot Stub](https://docs.kernel.org/admin-guide/efi-stub.html) that contains the [kernel](https://en.wikipedia.org/wiki/Kernel_(operating_system)), [initramfs](https://en.wikipedia.org/wiki/Initial_ramdisk) and [microcode](https://en.wikipedia.org/wiki/Microcode). This EFI stub can then be signed. If you use [dracut](https://en.wikipedia.org/wiki/Dracut_(software)) this can easily be done with the [`--uefi-stub` switch](https://man7.org/linux/man-pages/man8/dracut.8.html) or the [`uefi_stub` config](https://www.man7.org/linux/man-pages/man5/dracut.conf.5.html) option.
-- [Encrypting the boot partition](https://wiki.archlinux.org/title/GRUB#Encrypted_/boot). However, this has its own issues, the first being that [GRUB](https://en.wikipedia.org/wiki/GNU_GRUB) only supports [LUKS1](https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup) and not the newer default LUKS2 scheme. As the bootloader runs in [protected mode](https://en.wikipedia.org/wiki/Protected_mode) and the encryption module lacks [SSE acceleration](https://en.wikipedia.org/wiki/Streaming_SIMD_Extensions) the boot process will take minutes to complete.
-- Using TPM to perform a [measured boot](https://www.krose.org/~krose/measured_boot).
+There are a few options depending on your configuration:
 
-After setting up Secure Boot it is crucial that you set a “firmware password” (also called a “supervisor password, “BIOS password” or “UEFI password”), otherwise an adversary can simply disable Secure Boot.
+- If you enroll your own keys as described above, and your distribution supports Secure Boot by default, you can add your distribution's EFI Key into the list of trusted keys (db keys). It can then be enrolled into the firmware. Then, you should move all of your keys off your local storage device.
+- If you enroll your own keys as described above, and your distribution does **not** support Secure Boot out of the box (like Arch Linux), you have to leave the keys on the disk and setup automatic signing of the [kernel](https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Signing_the_kernel_with_a_pacman_hook) and bootloader. If you are using Grub, you can install it with the `--no-shim-lock` option and remove the need for the chainloader.
+
+The second option is to creating an [EFI Boot Stub](https://wiki.archlinux.org/title/Unified_kernel_image) that contains the [kernel](https://en.wikipedia.org/wiki/Kernel_(operating_system)), [initramfs](https://en.wikipedia.org/wiki/Initial_ramdisk), and [microcode](https://en.wikipedia.org/wiki/Microcode). This EFI stub can then be signed. If you use [dracut](https://en.wikipedia.org/wiki/Dracut_(software)) this can easily be done with the [`--uefi-stub` switch](https://man7.org/linux/man-pages/man8/dracut.8.html) or the [`uefi_stub` config](https://www.man7.org/linux/man-pages/man5/dracut.conf.5.html) option. This option also requires you to leave the keys on the disk to setup automatic signing, which weakens the security model.
+
+After setting up Secure Boot it is crucial that you set a “firmware password” (also called a “supervisor password”, “BIOS password” or “UEFI password”), otherwise an adversary can simply disable Secure Boot.
 
 These recommendations can make you a little more resistant to [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attacks, but they not good as a proper verified boot process such as that found on [Android](https://source.android.com/security/verifiedboot), [ChromeOS](https://support.google.com/chromebook/answer/3438631) or [Windows](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process).
 

docs/linux-desktop/overview.en.md

@@ -2,9 +2,9 @@
 title: Linux Overview
 icon: fontawesome/brands/linux
 ---
-It is often believed that [open source](https://en.wikipedia.org/wiki/Open-source_software) software is inherently secure because the source code is available. There is an expectation that community verification occurs regularly; however, this isn’t always [the case](https://seirdy.one/2022/02/02/floss-security.html). It does depend on a number of factors, such as project activity, developer experience, level of rigour applied to [code reviews](https://en.wikipedia.org/wiki/Code_review), and how often attention is given to specific parts of the [codebase](https://en.wikipedia.org/wiki/Codebase) that may go untouched for years.
+It is often believed that [open-source](https://en.wikipedia.org/wiki/Open-source_software) software is inherently secure because the source code is available. There is an expectation that community verification occurs regularly; however, this isn’t always [the case](https://seirdy.one/posts/2022/02/02/floss-security/). It does depend on a number of factors, such as project activity, developer experience, level of rigour applied to [code reviews](https://en.wikipedia.org/wiki/Code_review), and how often attention is given to specific parts of the [codebase](https://en.wikipedia.org/wiki/Codebase) that may go untouched for years.
 
-At the moment, desktop GNU/Linux does have some areas that could be better improved when compared to their proprietary counterparts, e.g:
+At the moment, desktop GNU/Linux does have some areas that could be better improved when compared to their proprietary counterparts, e.g.:
 
 - A verified boot chain, unlike Apple’s [Secure Boot](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) (with [Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), Android’s [Verified Boot](https://source.android.com/security/verifiedboot) or Microsoft Windows’s [boot process](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) with [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). These features and hardware technologies can all help prevent persistent tampering by malware or [evil maid attacks](https://en.wikipedia.org/wiki/Evil_Maid_attack)
 - Strong sandboxing solution such as that found in [macOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md), and [Android](https://source.android.com/security/app-sandbox). Commonly used Linux sandboxing solutions such as [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) and [Firejail](https://firejail.wordpress.com/) still have a long way to go
@@ -42,7 +42,7 @@ Traditionally, Linux distributions update by sequentially updating the desired p
 
 Atomic updating distributions apply updates in full or not at all. Typically, transactional update systems are also atomic.
 
-A transactional update system creates a snapshot that is made before and after an update is applied. If an update fails at any time (perhaps due to a power failure), the update can be easily rolled back to a “last known good state”.
+A transactional update system creates a snapshot that is made before and after an update is applied. If an update fails at any time (perhaps due to a power failure), the update can be easily rolled back to a “last known good state."
 
 The Atomic update method is used for immutable distributions like Silverblue, Tumbleweed, and NixOS and can achieve reliability with this model. [Adam Šamalík](https://twitter.com/adsamalik) provided a presentation on how `rpm-ostree` works with Silverblue:
 
@@ -52,21 +52,25 @@ The Atomic update method is used for immutable distributions like Silverblue, Tu
 
 ### “Security-focused” distributions
 
-There is often some confusion about “security-focused” distributions and “pentesting” distributions. A quick search for “the most secure Linux distribution” will often give results like Kali Linux, Black Arch, and Parrot OS. These distributions are offensive penetration testing distributions that bundle tools for testing other systems. They don’t include any “extra security” or defensive mitigations intended for regular use.
+There is often some confusion about “security-focused” distributions and “pentesting” distributions. A quick search for “the most secure Linux distribution” will often give results like Kali Linux, Black Arch and Parrot OS. These distributions are offensive penetration testing distributions that bundle tools for testing other systems. They don’t include any “extra security” or defensive mitigations intended for regular use.
 
 ### Arch-based distributions
 
-Arch based distributions are not recommended for those new to Linux, regardless of the distribution. Arch does not have an distribution update mechanism for the underlying software choices. As a result you have to stay aware with current trends and adopt technologies as they supersede older practices on your own.
+Arch based distributions are not recommended for those new to Linux, (regardless of distribution) as they require regular [system maintenance](https://wiki.archlinux.org/title/System_maintenance). Arch does not have an distribution update mechanism for the underlying software choices. As a result you have to stay aware with current trends and adopt technologies as they supersede older practices on your own.
 
 For a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a [mandatory access control](https://en.wikipedia.org/wiki/Mandatory_access_control) system, setting up [kernel module](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) blacklists, hardening boot parameters, manipulating [sysctl](https://en.wikipedia.org/wiki/Sysctl) parameters, and knowing what components they need such as [Polkit](https://en.wikipedia.org/wiki/Polkit).
 
-Anyone using the [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **must** be comfortable in auditing PKGBUILDs that they install from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software supply chain attacks, which has in fact happened [in the past](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/). AUR should always be used sparingly and often there is a lot of bad advice on various pages which direct people to blindly use [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) without sufficient warning. Similar warnings apply to using third party Personal Package Archives (PPAs) on Debian based distributions or Community Projects (COPR) on Fedora.
+Anyone using the [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **must** be comfortable in auditing PKGBUILDs that they install from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software supply chain attacks, which has in fact happened [in the past](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/). AUR should always be used sparingly and often there is a lot of bad advice on various pages which direct people to blindly use [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) without sufficient warning. Similar warnings apply to use third-party Personal Package Archives (PPAs) on Debian based distributions or Community Projects (COPR) on Fedora.
 
 If you are experienced with Linux and wish to use an Arch-based distribution, we only recommend Arch Linux proper, not any of its derivatives. We recommend against these two Arch derivatives specifically:
 
 - **Manjaro**: This distribution holds packages back for 2 weeks to make sure that their own changes don’t break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest [libraries](https://en.wikipedia.org/wiki/Library_(computing)) from Arch’s repositories.
 - **Garuda**: They use [Chaotic-AUR](https://aur.chaotic.cx/) which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages don’t suffer from supply chain attacks.
 
+### Kicksecure
+
+While we strongly recommend against using outdated distributions like Debian, if you decide to use it, we suggest that you [convert](https://www.kicksecure.com/wiki/Debian) it into [Kicksecure](https://www.kicksecure.com/). Kicksecure, in oversimplified terms, is a set of scripts, configurations, and packages that substantially reduce the attack surface of Debian. It covers a lot of privacy and hardening recommendations by default.
+
 ### Linux-libre kernel and “Libre” distributions
 
 We strongly recommend **against** using the Linux-libre kernel, since it [removes security mitigations](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) and [suppresses kernel warnings](https://news.ycombinator.com/item?id=29674846) about vulnerable microcode for ideological reasons.
@@ -75,9 +79,9 @@ We strongly recommend **against** using the Linux-libre kernel, since it [remove
 
 ### Drive Encryption
 
-Most Linux distributions have an option within its installer for enabling [LUKS](/encryption.md#linux-unified-key-setup) FDE. If this option isn’t set at installation time, you will have to backup your data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning), but before [file systems](https://en.wikipedia.org/wiki/File_system) are formatted. We also suggest securely erasing your storage device:
+Most Linux distributions have an option within its installer for enabling [LUKS](../encryption.md#linux-unified-key-setup) FDE. If this option isn’t set at installation time, you will have to backup your data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning), but before [file systems](https://en.wikipedia.org/wiki/File_system) are formatted. We also suggest securely erasing your storage device:
 
-- [Secure Data Erasure :hero-arrow-circle-right-fill:](../basics/erasing-data.md)
+- [Secure Data Erasure :hero-arrow-circle-right-fill:](../advanced/erasing-data.md)
 
 ### Swap
 
@@ -87,7 +91,7 @@ Consider using [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) or [
 
 We recommend using a desktop environment that supports the [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) display protocol as it developed with security [in mind](https://lwn.net/Articles/589147/). Its predecessor, [X11](https://en.wikipedia.org/wiki/X_Window_System), does not support GUI isolation, allowing all windows to [record screen, log and inject inputs in other windows](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), making any attempt at sandboxing futile. While there are options to do nested X11 such as [Xpra](https://en.wikipedia.org/wiki/Xpra) or [Xephyr](https://en.wikipedia.org/wiki/Xephyr), they often come with negative performance consequences and are not convenient to set up and are not preferable over Wayland.
 
-Fortunately, common environments such as [GNOME](https://www.gnome.org), [KDE](https://kde.org), and the window manager [Sway](https://swaywm.org) have support for Wayland. Some distributions like Fedora and Tumbleweed use it by default and some others may do so in the future as X11 is in [hard maintenance mode](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). If you’re using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)).
+Fortunately, common environments such as [GNOME](https://www.gnome.org), [KDE](https://kde.org), and the window manager [Sway](https://swaywm.org) have support for Wayland. Some distributions like Fedora and Tumbleweed use it by default, and some others may do so in the future as X11 is in [hard maintenance mode](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). If you’re using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)).
 
 We recommend **against** using desktop environments or window managers that do not have Wayland support such as Cinnamon (default on Linux Mint), Pantheon (default on Elementary OS), MATE, Xfce, and i3.
 
@@ -101,7 +105,7 @@ We **highly recommend** that you install the microcode updates, as your CPU is a
 
 ### MAC Address Randomization
 
-Many desktop Linux distributions (Fedora, openSUSE etc) will come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), to configure Ethernet and Wi-Fi settings.
+Many desktop Linux distributions (Fedora, openSUSE, etc) will come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), to configure Ethernet and Wi-Fi settings.
 
 It is possible to [randomize](https://fedoramagazine.org/randomize-mac-address-nm/) the [MAC address](https://en.wikipedia.org/wiki/MAC_address) when using NetworkManager. This provides a bit more privacy on Wi-Fi networks as it makes it harder to track specific devices on the network you’re connected to. It does [**not**](https://papers.mathyvanhoef.com/wisec2016.pdf) make you anonymous.
 
@@ -109,7 +113,7 @@ We recommend changing the setting to **random** instead of **stable**, as sugges
 
 If you are using [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components), you will need to set [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) which will enable [RFC 7844 (Anonymity Profiles for DHCP Clients)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=).
 
-There isn’t much point in randomizing the MAC address for Ethernet connections as a system administrator can find you by looking at the port you are using on the [network switch](https://en.wikipedia.org/wiki/Network_switch). Randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi’s firmware.
+There isn’t many points in randomizing the MAC address for Ethernet connections as a system administrator can find you by looking at the port you are using on the [network switch](https://en.wikipedia.org/wiki/Network_switch). Randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi’s firmware.
 
 ### Other Identifiers
 

docs/linux-desktop/sandboxing.en.md

@@ -53,7 +53,7 @@ You can make your own AppArmor profiles, SELinux policies, Bubblewrap profiles,
 
 ### Securing Linux containers
 
-If you’re running a server you may have heard of Linux Containers, Docker, or Podman which refer to a kind of [OS-level virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization). Containers are more common in server and development environments where individual apps are built to operate independently.
+If you’re running a server, you may have heard of Linux Containers, Docker, or Podman which refer to a kind of [OS-level virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization). Containers are more common in server and development environments where individual apps are built to operate independently.
 
 [Docker](https://en.wikipedia.org/wiki/Docker_(software)) is one of the most common container solutions. It does not run a proper sandbox, and this means that there is a large kernel attack surface. The [daemon](https://en.wikipedia.org/wiki/Daemon_(computing)) controls everything and [typically](https://docs.docker.com/engine/security/rootless/#known-limitations) runs as root. If it crashes for some reason, all the containers will crash too. The [gVisor](https://en.wikipedia.org/wiki/GVisor) runtime which implements an application level kernel can help limit the number of [syscalls](https://en.wikipedia.org/wiki/System_call) an application can make and can help isolate it from the host’s [kernel](https://en.wikipedia.org/wiki/Kernel_(operating_system)).
 

docs/metadata-removal-tools.en.md

@@ -12,7 +12,7 @@ When sharing files, be sure to remove associated metadata. Image files commonly
 
     ![ExifCleaner logo](assets/img/metadata-removal/exifcleaner.svg){ align=right }
 
-    **ExifCleaner** is a freeware, open source graphical app that uses [ExifTool](https://exiftool.org) to remove Exif metadata from images, videos, and PDF documents using a simple drag and drop interface. It supports multi-core batch processing and dark mode.
+    **ExifCleaner** is a freeware, open-source graphical app that uses [ExifTool](https://exiftool.org) to remove Exif metadata from images, videos, and PDF documents using a simple drag and drop interface. It supports multi-core batch processing and dark mode.
 
     [:octicons-home-16: Homepage](https://exifcleaner.com){ .md-button .md-button--primary }
     [:octicons-info-16:](https://github.com/szTheory/exifcleaner#readme){ .card-link title=Documentation}
@@ -32,7 +32,7 @@ When sharing files, be sure to remove associated metadata. Image files commonly
 
     **MAT2** is free software, which allows the metadata to be removed from image, audio, torrent, and document file types. It provides both a command line tool and a graphical user interface via an [extension for Nautilus](https://0xacab.org/jvoisin/mat2/-/tree/master/nautilus), the default file manager of [GNOME](https://www.gnome.org), and [Dolphin](https://0xacab.org/jvoisin/mat2/-/tree/master/dolphin), the default file manager of [KDE](https://kde.org).
 
-    On Linux, a third party graphical tool [Metadata Cleaner](https://gitlab.com/rmnvgr/metadata-cleaner) powered by MAT2 exists and is [available on Flathub](https://flathub.org/apps/details/fr.romainvigier.MetadataCleaner).
+    On Linux, a third-party graphical tool [Metadata Cleaner](https://gitlab.com/rmnvgr/metadata-cleaner) powered by MAT2 exists and is [available on Flathub](https://flathub.org/apps/details/fr.romainvigier.MetadataCleaner).
 
     [:octicons-repo-16: Repository](https://0xacab.org/jvoisin/mat2){ .md-button .md-button--primary }
     [:octicons-info-16:](https://0xacab.org/jvoisin/mat2/-/blob/master/README.md){ .card-link title=Documentation}
@@ -47,23 +47,41 @@ When sharing files, be sure to remove associated metadata. Image files commonly
 
 ## Mobile
 
-### Imagepipe (Android)
+### ExifEraser (Android)
 
 !!! recommendation
 
-    ![Imagepipe logo](assets/img/metadata-removal/imagepipe.svg){ align=right }
+    ![ExifEraser logo](assets/img/metadata-removal/exiferaser.svg){ align=right }
 
-    **Imagepipe** is a a paint app for Android that can be used to redact photos and also delete Exif metadata. It has been translated into [many](https://codeberg.org/Starfish/Imagepipe#translations) languages.
+    **ExifEraser** is a modern, permissionless image metadata erasing application for Android.
 
-    [:octicons-repo-16: Repository](https://codeberg.org/Starfish/Imagepipe){ .md-button .md-button--primary }
-    [:octicons-info-16:](https://codeberg.org/Starfish/Imagepipe/src/branch/master/README.md){ .card-link title=Documentation}
-    [:octicons-code-16:](https://codeberg.org/Starfish/Imagepipe){ .card-link title="Source Code" }
+    It currently supports JPEG, PNG and WebP files.
+
+    [:octicons-repo-16: Repository](https://github.com/Tommy-Geenexus/exif-eraser){ .md-button .md-button--primary }
+    [:octicons-info-16:](https://github.com/Tommy-Geenexus/exif-eraser#readme){ .card-link title=Documentation}
+    [:octicons-code-16:](https://github.com/Tommy-Geenexus/exif-eraser){ .card-link title="Source Code" }
 
     ??? downloads
 
-        - [:pg-f-droid: F-Droid](https://f-droid.org/en/packages/de.kaffeemitkoffein.imagepipe/)
+        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser)
+        - [:fontawesome-brands-android: IzzyOnDroid (APK)](https://android.izzysoft.de/repo/apk/com.none.tom.exiferaser)
+        - [:fontawesome-brands-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases)
 
-Imagepipe is only available from F-Droid and not in Google Play. If you're looking for a paint app in Google Play we suggest [Pocket Paint](https://play.google.com/store/apps/details?id=org.catrobat.paintroid).
+The metadata that is erased depends on the image's file type:
+
+* **JPEG**: ICC Profile, Exif, Photoshop Image Resources and XMP/ExtendedXMP metadata will be erased if it exists.
+* **PNG**: ICC Profile, Exif and XMP metadata will be erased if it exists.
+* **WebP**: ICC Profile, Exif and XMP metadata will be erased if it exists.
+
+After processing the images, ExifEraser provides you with a full report about what exactly was removed from each image.
+
+The app offers multiple ways to erase metadata from images. Namely:
+
+* You can share an image from another application with ExifEraser.
+* Through the app itself, you can select a single image, multiple images at once, or even an entire directory.
+* It features a "Camera" option, which uses your operating system's camera app to take a photo, and then it removes the metadata from it.
+* It allows you to drag photos from another app into ExifEraser when they are both open in split-screen mode.
+* Lastly, it allows you to paste an image from your clipboard.
 
 ### Metapho (iOS)
 
@@ -72,8 +90,8 @@ Imagepipe is only available from F-Droid and not in Google Play. If you're looki
     ![Metapho logo](assets/img/metadata-removal/metapho.jpg){ align=right }
 
     Metapho is a simple and clean viewer for photo metadata such as date, file name, size, camera model, shutter speed, and location.
-    
-    Metapho is closed source, however we recommend it due to the few choices there are for iOS.
+
+    Metapho is closed-source, however we recommend it due to the few choices there are for iOS.
 
     [:octicons-home-16: Homepage](https://zininworks.com/metapho){ .md-button .md-button--primary }
     [:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="Privacy Policy" }
@@ -82,25 +100,6 @@ Imagepipe is only available from F-Droid and not in Google Play. If you're looki
 
         - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/metapho/id914457352)
 
-### Scrambled Exif (Android)
-
-!!! recommendation
-
-    ![Scrambled Exif logo](assets/img/metadata-removal/scrambled-exif.svg){ align=right }
-
-    **Scrambled Exif** is a metadata removal tool for Android. It can remove Exif data for many file formats and has been translated into [many](https://gitlab.com/juanitobananas/scrambled-exif/-/tree/master/app/src/main/res) languages.
-
-    [:octicons-repo-16: Repository](https://gitlab.com/juanitobananas/scrambled-exif){ .md-button .md-button--primary }
-    [:octicons-eye-16:](https://gitlab.com/juanitobananas/scrambled-exif/-/blob/master/PRIVACY.md){ .card-link title="Privacy Policy" }
-    [:octicons-info-16:](https://gitlab.com/juanitobananas/scrambled-exif/-/blob/master/README.md){ .card-link title=Documentation}
-    [:octicons-code-16:](https://gitlab.com/juanitobananas/scrambled-exif){ .card-link title="Source Code" }
-    [:octicons-heart-16:](https://gitlab.com/juanitobananas/scrambled-exif#donating){ .card-link title=Contribute }
-
-    ??? downloads
-
-        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.jarsilio.android.scrambledeggsif)
-        - [:pg-f-droid: F-Droid](https://f-droid.org/en/packages/com.jarsilio.android.scrambledeggsif)
-
 ## Command-line
 
 ### ExifTool

docs/mobile-browsers.en.md

@@ -0,0 +1,154 @@
+---
+title: "Mobile Browsers"
+icon: octicons/device-mobile-16
+---
+These are our currently recommended mobile web browsers and configurations. In general, we recommend keeping extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation.
+
+## Android
+
+On Android, Firefox is still less secure than Chromium-based alternatives: Mozilla's engine, [GeckoView](https://mozilla.github.io/geckoview/), has yet to support [site isolation](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) or enable [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196).
+
+### Brave
+
+!!! recommendation
+
+    ![Brave logo](assets/img/browsers/brave.svg){ align=right }
+
+    **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default.
+
+    Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues.
+
+    [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary }
+    [:pg-tor:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title=Onion }
+    [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" }
+    [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation}
+    [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" }
+
+    ??? downloads annotate
+
+        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser)
+
+#### Recommended Configuration
+
+Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](#tor-browser) will be traceable by *somebody* in some regard or another.
+
+These options can be found in :material-menu: → **Settings** → **Brave Shields & privacy**
+
+##### Shields
+
+Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit.
+
+Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following:
+
+<div class="annotate" markdown>
+
+- [x] Select **Aggressive** under Block trackers & ads
+
+    ??? warning "Use default filter lists"
+        Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use.
+
+- [x] (Optional) Select **Block Scripts** (1)
+- [x] Select **Strict, may break sites** under Block fingerprinting
+
+</div>
+
+1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension.
+
+##### Social Media Blocking
+
+- [ ] Uncheck all social media components
+
+##### IPFS
+
+InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it.
+
+- [ ] Uncheck **IPFS Gateway**
+
+##### Other privacy settings
+
+- [x] Select **Disable Non-Proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc)
+- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)**
+- [ ] Uncheck **Automatically send daily usage ping to Brave**
+- [ ] Uncheck **Automatically send diagnostic reports**
+- [x] Select **Always use secure connections**
+- [x] Select **Close tabs on exit**
+- [x] Select **Clear data on exit**
+
+## iOS
+
+On iOS, any app that can browse the web is [restricted](https://developer.apple.com/app-store/review/guidelines) to using an Apple-provided [WebKit framework](https://developer.apple.com/documentation/webkit), so there is little reason to use a third-party web browser.
+
+### Safari
+
+!!! recommendation
+
+    ![Safari logo](assets/img/browsers/safari.svg){ align=right }
+
+    **Safari** is the default browser in iOS. It includes [privacy features](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) such as Intelligent Tracking Protection, Privacy Report, isolated Private Browsing tabs, iCloud Private Relay, and automatic HTTPS upgrades.
+
+    [:octicons-home-16: Homepage](https://www.apple.com/safari/){ .md-button .md-button--primary }
+    [:octicons-eye-16:](https://www.apple.com/legal/privacy/data/en/safari/){ .card-link title="Privacy Policy" }
+    [:octicons-info-16:](https://support.apple.com/guide/safari/welcome/mac){ .card-link title=Documentation}
+
+#### Recommended Configuration
+
+These options can be found in :gear: **Settings** → **Safari** → **Privacy and Security**.
+
+##### Cross-Site Tracking Prevention
+
+- [x] Enable **Prevent Cross-Site Tracking**
+
+This enables WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp). The feature helps protect against unwanted tracking by using on-device machine learning to stop trackers. ITP protects against many common threats, but it does not block all tracking avenues because it is designed to not interfere with website usability.
+
+##### Privacy Report
+
+Privacy Report provides a snapshot of cross-site trackers currently prevented from profiling you on the website you're visiting. It can also display a weekly report to show which trackers have been blocked over time.
+
+Privacy Report is accessible via the Page Settings menu (:pg-textformat-size:).
+
+##### Privacy Preserving Ad Measurement
+
+- [ ] Disable **Privacy Preserving Ad Measurement**
+
+Ad click measurement has traditionally used tracking technology that infringes on user privacy. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) is a WebKit feature and proposed web standard aimed towards allowing advertisers to measure the effectiveness of web campaigns without compromising on user privacy.
+
+The feature has little privacy concerns on its own, so while you can choose to leave it on, we consider the fact that it's automatically disabled in Private Browsing to be an indicator for disabling the feature.
+
+##### Always-on Private Browsing
+
+Open Safari and tap the Tabs button, located in the bottom right. Then, expand the Tab Groups list.
+
+- [x] Select **Private**
+
+Safari's Private Browsing mode offers additional privacy protections. Private Browsing uses a new [ephemeral](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) session for each tab, meaning tabs are isolated from one another. There are also other smaller privacy benefits with Private Browsing, such as not sending a webpage’s address to Apple when using Safari's translation feature.
+
+Do note that Private Browsing does not save cookies and website data, so it won't be possible to remain signed into sites. This may be an inconvenience.
+
+##### iCloud Sync
+
+Synchronization of Safari History, Tab Groups, iCloud Tabs and saved passwords are E2EE. However, bookmarks are [not](https://support.apple.com/en-us/HT202303). Apple can decrypt and access them in accordance with their [privacy policy](https://www.apple.com/legal/privacy/en-ww/).
+
+If you use iCloud, we also recommend checking to ensure Safari's default download location is set to locally on your device. This option can be found in :gear: **Settings** → **Safari** → **General** → **Downloads**.
+
+### AdGuard
+
+!!! recommendation
+
+    ![AdGuard logo](assets/img/browsers/adguard.svg){ align=right }
+
+    **AdGuard for iOS** is a free and open-source content-blocking extension for Safari that uses the native [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker).
+
+    AdGuard for iOS has some premium features; however, standard Safari content blocking is free of charge.
+
+    [:octicons-home-16: Homepage](https://adguard.com/en/adguard-ios/overview.html){ .md-button .md-button--primary }
+    [:octicons-eye-16:](https://adguard.com/privacy/ios.html){ .card-link title="Privacy Policy" }
+    [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=Documentation}
+    [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Source Code" }
+
+    ??? downloads
+
+        - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/app/apple-store/id1047223162)
+
+Additional filter lists do slow things down and may increase your attack surface, so only apply what you need.
+
+--8<-- "includes/abbreviations.en.md"

docs/multi-factor-authentication.en.md

@@ -4,6 +4,29 @@ icon: 'material/two-factor-authentication'
 ---
 ## Hardware Security Keys
 
+### YubiKey
+
+!!! recommendation
+
+    ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png)
+
+    The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
+
+    One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://www.yubico.com/quiz/) before purchasing in order to make sure you make the right choice.
+
+    [:octicons-home-16: Homepage](https://www.yubico.com){ .md-button .md-button--primary }
+    [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+    [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentation}
+
+The [comparison table](https://www.yubico.com/store/compare/) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series.
+
+YubiKeys can be programmed using the [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) or [YubiKey Personalization Tools](https://www.yubico.com/support/download/yubikey-personalization-tools/). For managing TOTP codes, you can use the [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). All of Yubico's clients are open-source.
+
+For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
+
+!!! warning
+    The firmware of YubiKey is not open-source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
 ### Nitrokey / Librem Key
 
 !!! recommendation
@@ -24,7 +47,7 @@ For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 fo
 
 !!! warning
 
-    While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks.
+    While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP these secrets, we highly recommend that you use a Yubikey instead.
 
 !!! warning
 
@@ -32,38 +55,15 @@ For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 fo
 
  The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/) firmware. Purism's [Librem Key](https://puri.sm/products/librem-key/) is a rebranded NitroKey Pro 2 with similar firmware and can also be used for the same purposes.
 
- The Nitrokey has an open source firmware, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable.
+ The Nitrokey has an open-source firmware, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable.
 
 !!! tip
 
     The Nitrokey app, while compatible with Librem Keys, requires `libnitrokey` version 3.6 or above to recognize them. Currently, the package is outdated on Windows, macOS, and most Linux distributions' repository, so you will likely have to compile the Nitrokey app yourself to get it working with the Librem Key. On Linux, you can obtain an up-to-date version from [Flathub](https://flathub.org/apps/details/com.nitrokey.nitrokey-app).
 
-### YubiKey
-
-!!! recommendation
-
-    ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png)
-
-    The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
-
-    One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://www.yubico.com/quiz/) before purchasing in order to make sure you make the right choice.
-
-    [:octicons-home-16: Homepage](https://www.yubico.com){ .md-button .md-button--primary }
-    [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
-    [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentation}
-
-The [comparison table](https://www.yubico.com/store/compare/) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series.
-
-YubiKeys can be programmed using the [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) or [YubiKey Personalization Tools](https://www.yubico.com/support/download/yubikey-personalization-tools/). For managing TOTP codes, you can use the [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). All of Yubico's clients are open source.
-
-For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
-
-!!! warning
-    The firmware of YubiKeys are not open source and are not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
-
 ## Authenticator Apps
 
-Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret, or otherwise be able to predict what any future codes might be.
+Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
 
 We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and IOS have better security and app isolation than most desktop operating systems.
 
@@ -73,7 +73,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 
     ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ align=right }
 
-    **Aegis Authenticator** is a free, secure and open source app to manage your 2-step verification tokens for your online services.
+    **Aegis Authenticator** is a free, secure and open-source app to manage your 2-step verification tokens for your online services.
 
     [:octicons-home-16: Homepage](https://getaegis.app){ .md-button .md-button--primary }
     [:octicons-eye-16:](https://getaegis.app/aegis/privacy.html){ .card-link title="Privacy Policy" }

docs/news-aggregators.en.md

@@ -31,7 +31,7 @@ A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to k
 
     ![Feeder logo](assets/img/news-aggregators/feeder.png){ align=right }
 
-    **Feeder** is a modern RSS client for Android that has many [features](https://gitlab.com/spacecowboy/Feeder#features) and works well with folders of RSS feeds. It supports it supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) and [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed).
+    **Feeder** is a modern RSS client for Android that has many [features](https://gitlab.com/spacecowboy/Feeder#features) and works well with folders of RSS feeds. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed).
 
     [:octicons-repo-16: Repository](https://gitlab.com/spacecowboy/Feeder){ .md-button .md-button--primary }
     [:octicons-code-16:](https://gitlab.com/spacecowboy/Feeder){ .card-link title="Source Code" }

docs/notebooks.en.md

@@ -3,11 +3,11 @@ title: "Notebooks"
 icon: material/notebook-edit-outline
 ---
 
-Keep track of your notes and journalings without giving them to a third party.
+Keep track of your notes and journalings without giving them to a third-party.
 
 If you are currently using an application like Evernote, Google Keep, or Microsoft OneNote, we suggest you pick an alternative here that supports E2EE.
 
-## Cloud based
+## Cloud-based
 
 ### EteSync Notes
 
@@ -55,7 +55,6 @@ If you are currently using an application like Evernote, Google Keep, or Microso
         - [:fontawesome-brands-chrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek)
         - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/joplin/id1315599797)
         - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin)
-        - [:pg-f-droid: F-Droid](https://f-droid.org/en/packages/net.cozic.joplin)
 
 Joplin does not support password/pin protection for the [application itself or individual notes/notebooks](https://github.com/laurent22/joplin/issues/289). Data is still encrypted in transit and at the sync location using your master key.
 

docs/passwords.en.md

@@ -6,9 +6,9 @@ Stay safe and secure online with an encrypted and open-source password manager.
 
 ## Password Best Practices
 
-- Always use unique passwords. Don't make yourself a victim of "[credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing)".
-- Store an exported backup of your passwords in an [encrypted container](encryption.md) on another storage device. This can be useful if something happens to your device or the service you are using.
-- If possible, store TOTP tokens in a separate [TOTP app](basics/multi-factor-authentication.md#authenticator-apps) and not your password manager. TOTP codes are generated from a "[shared secret](https://en.wikipedia.org/wiki/Time-based_one-time_password#Security)". If the secret is obtained by an adversary they can generate TOTP values. Typically, mobile platforms have better app isolation and more secure methods for storing sensitive credentials.
+- Always use unique passwords. Don't make yourself a victim of "[credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing)"
+- Store an exported backup of your passwords in an [encrypted container](encryption.md) on another storage device. This can be useful if something happens to your device or the service you are using
+- If possible, store TOTP tokens in a separate [TOTP app](basics/multi-factor-authentication.md#authenticator-apps) and not your password manager. TOTP codes are generated from a "[shared secret](https://en.wikipedia.org/wiki/Time-based_one-time_password#Security)." If the secret is obtained by an adversary, he can generate TOTP values. Typically, mobile platforms have better app isolation and more secure methods for storing sensitive credentials
 
 ## Local Storage
 
@@ -39,7 +39,7 @@ These password managers store the password database locally.
 
     ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ align=right }
 
-    **KeePassXC** is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, fully cross-platform and modern open-source password manager.
+    **KeePassXC** is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, cross-platform and modern open-source password manager.
 
     [:octicons-home-16: Homepage](https://keepassxc.org){ .md-button .md-button--primary }
     [:octicons-eye-16:](https://keepassxc.org/privacy){ .card-link title="Privacy Policy" }
@@ -88,7 +88,7 @@ These password managers sync your passwords to a cloud server for easy accessibi
         - [:fontawesome-brands-chrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb)
         - [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh)
 
-Bitwarden's server-side code is [open source](https://github.com/bitwarden/server), so if you don't want to use the Bitwarden cloud, you can easily host your own Bitwarden sync server.
+Bitwarden's server-side code is [open-source](https://github.com/bitwarden/server), so if you don't want to use the Bitwarden cloud, you can easily host your own Bitwarden sync server.
 
 ![Vaultwarden logo](assets/img/password-management/vaultwarden.svg#only-light){ align=right }
 ![Vaultwarden logo](assets/img/password-management/vaultwarden-dark.svg#only-dark){ align=right }
@@ -106,7 +106,7 @@ Bitwarden's server-side code is [open source](https://github.com/bitwarden/serve
 
     ![Psono logo](assets/img/password-management/psono.svg){ align=right }
 
-    **Psono** is a free and open source password manager from Germany, with a focus on password management for teams. Psono supports secure sharing of passwords, files, bookmarks, and emails. All secrets are protected by a master password.
+    **Psono** is a free and open-source password manager from Germany, with a focus on password management for teams. Psono supports secure sharing of passwords, files, bookmarks, and emails. All secrets are protected by a master password.
 
     [:octicons-home-16: Homepage](https://psono.com){ .md-button .md-button--primary }
     [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="Privacy Policy" }
@@ -121,7 +121,7 @@ Bitwarden's server-side code is [open source](https://github.com/bitwarden/serve
         - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224)
         - [:fontawesome-brands-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client)
 
-Psono provides [extensive documentation](https://doc.psono.com/) for their product. The [web-client](https://doc.psono.com/admin/installation/install-webclient.html#installation-with-docker) for Psono can be self-hosted; alternatively, you can choose the the full [Community Edition](https://doc.psono.com/admin/installation/install-server-ce.html) or the [Enterprise Edition](https://doc.psono.com/admin/installation/install-server-ee.html) with additional features.
+Psono provides [extensive documentation](https://doc.psono.com/) for their product. The [web-client](https://doc.psono.com/admin/installation/install-webclient.html#installation-with-docker) for Psono can be self-hosted; alternatively, you can choose the full [Community Edition](https://doc.psono.com/admin/installation/install-server-ce.html) or the [Enterprise Edition](https://doc.psono.com/admin/installation/install-server-ee.html) with additional features.
 
 ## Minimal Password Managers
 

docs/productivity.en.md

@@ -2,10 +2,14 @@
 title: "Productivity Tools"
 icon: material/file-sign
 ---
-Get working and collaborating without sharing your documents with a middleman or trusting a cloud provider.
+Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. The privacy policy may legally protect your rights, but it does not provide technical access constraints.
 
 ## Office Suites
 
+We recommend running a local Office suite. If you're using Microsoft Windows, we suggest Microsoft Office as it has support from [MDAG](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview) which prevents untrusted Word, PowerPoint and Excel files from accessing trusted resources. Application Guard opens untrusted files in an isolated [Hyper-V](https://en.wikipedia.org/wiki/Hyper-V)-enabled container. On macOS [iWork](https://www.apple.com/iwork) has [App Sandbox](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html).
+
+For other platforms, consider below:
+
 ### LibreOffice
 
 !!! recommendation
@@ -54,34 +58,13 @@ Get working and collaborating without sharing your documents with a middleman or
         - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents)
         - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/app/id944896972)
 
-## Planning
-
-### Framadate
-
-!!! recommendation
-
-    ![Framadate logo](assets/img/productivity/framadate.svg){ align=right }
-
-    **Framadate** is a free and open-source online service for planning an appointment or making a decision quickly and easily. No registration is required.
-
-    [:octicons-home-16: Homepage](https://framadate.org){ .md-button .md-button--primary }
-    [:octicons-info-16:](https://framagit.org/framasoft/framadate/framadate/-/wikis/home){ .card-link title=Documentation}
-    [:octicons-code-16:](https://framagit.org/framasoft/framadate){ .card-link title="Source Code" }
-    [:octicons-heart-16:](https://framadate.org/abc/en/#f-sfs-form){ .card-link title=Contribute }
-
-## Paste services
-
-!!! warning
-
-    Encrypted Pastebin websites like the ones recommended here use JavaScript to handle encryption, so you must trust the provider to the extent that they do not inject any malicious JavaScript to get your private key. Consider self-hosting to mitigate this threat.
-
 ### CryptPad
 
 !!! recommendation
 
     ![CryptPad logo](assets/img/productivity/cryptpad.svg){ align=right }
 
-    **CryptPad** is a private-by-design alternative to popular office tools. All content is end-to-end encrypted.
+    **CryptPad** is a private-by-design alternative to popular office tools. All content on this web service is end-to-end encrypted and can be shared with other users easily.
 
     [:octicons-home-16: Homepage](https://cryptpad.fr){ .md-button .md-button--primary }
     [:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="Privacy Policy" }
@@ -89,6 +72,12 @@ Get working and collaborating without sharing your documents with a middleman or
     [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Source Code" }
     [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=Contribute }
 
+## Paste services
+
+!!! warning
+
+    Encrypted Pastebin websites like the ones recommended here use JavaScript to handle encryption, so you must trust the provider to the extent that they do not inject any malicious JavaScript to get your private key. Consider self-hosting to mitigate this threat.
+
 ### PrivateBin
 
 !!! recommendation
@@ -102,48 +91,4 @@ Get working and collaborating without sharing your documents with a middleman or
     [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Documentation}
     [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Source Code" }
 
-## Blogging
-
-### Write.as
-
-!!! recommendation
-
-    ![Write.as logo](assets/img/productivity/writeas.svg#only-light){ align=right }
-    ![Write.as logo](assets/img/productivity/writeas-dark.svg#only-dark){ align=right }
-
-    **Write.as** is a cross-platform, privacy-oriented blogging platform. It's anonymous by default, letting you publish without signing up. If you create an account, it doesn't require any personal information. No ads, distraction-free, and built on a sustainable business model.
-
-    [:octicons-home-16: Homepage](https://write.as){ .md-button .md-button--primary }
-    [:pg-tor:](http://writeasw4b635r4o3vec6mu45s47ohfyro5vayzx2zjwod4pjswyovyd.onion){ .card-link title=Onion }
-    [:octicons-eye-16:](https://write.as/privacy){ .card-link title="Privacy Policy" }
-    [:octicons-code-16:](https://code.as/writeas){ .card-link title="Source Code" }
-
-    ??? downloads
-
-        - [:fontawesome-brands-windows: Windows](https://github.com/writeas/writeas-cli)
-        - [:fontawesome-brands-apple: macOS](https://github.com/writeas/writeas-cli)
-        - [:fontawesome-brands-linux: Linux](https://github.com/writeas/writeas-cli)
-        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.abunchtell.writeas)
-        - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/app/id1531530896)
-
-## Programming
-
-### VSCodium
-
-!!! recommendation
-
-    ![VSCodium logo](assets/img/productivity/vscodium.svg){ align=right }
-
-    **VSCodium** is a free and open-source project featuring binaries of [Visual Studio Code](https://code.visualstudio.com) without Microsoft's branding/telemetry/licensing.
-
-    [:octicons-home-16: Homepage](https://vscodium.com){ .md-button .md-button--primary }
-    [:octicons-info-16:](https://github.com/VSCodium/vscodium/blob/master/DOCS.md){ .card-link title=Documentation}
-    [:octicons-code-16:](https://github.com/VSCodium/vscodium){ .card-link title="Source Code" }
-
-    ??? downloads
-
-        - [:fontawesome-brands-windows: Windows](https://vscodium.com/#install)
-        - [:fontawesome-brands-apple: macOS](https://vscodium.com/#install)
-        - [:fontawesome-brands-linux: Linux](https://vscodium.com/#install)
-
 --8<-- "includes/abbreviations.en.md"

docs/real-time-communication.en.md

@@ -4,6 +4,48 @@ icon: material/chat-processing
 ---
 ## Cross-Platform Messengers
 
+### Signal
+
+!!! recommendation
+
+    ![Signal logo](assets/img/messengers/signal.svg){ align=right }
+
+    **Signal** is a mobile app developed by Signal Messenger LLC. The app provides instant messaging, as well as voice and video calling.
+
+    All communications are E2EE. Contact lists are encrypted using your Signal PIN and the server does not have access to them. Personal profiles are also encrypted and only shared with contacts you chat with.
+
+    [:octicons-home-16: Homepage](https://signal.org/){ .md-button .md-button--primary }
+    [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" }
+    [:octicons-info-16:](https://support.signal.org/hc/en-us){ .card-link title=Documentation}
+    [:octicons-code-16:](https://github.com/signalapp){ .card-link title="Source Code" }
+    [:octicons-heart-16:](https://signal.org/donate/){ .card-link title=Contribute }
+
+    ??? downloads
+
+        - [:fontawesome-brands-windows: Windows](https://signal.org/download)
+        - [:fontawesome-brands-apple: macOS](https://signal.org/download)
+        - [:fontawesome-brands-linux: Linux](https://signal.org/download)
+        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms)
+        - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/app/id874139669)
+
+Signal supports [private groups](https://signal.org/blog/signal-private-group-system/). The server has no record of your group memberships, group titles, group avatars, or group attributes. Signal has minimal metadata when [Sealed Sender](https://signal.org/blog/sealed-sender/) is enabled. The sender address is encrypted along with the message body, and only the recipient address is visible to the server. Sealed Sender is only enabled for people in your contacts list, but can be enabled for all recipients with the increased risk of receiving spam. Signal requires your phone number as a personal identifier.
+
+The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf) in 2016. The specification for the Signal protocol can be found in their [documentation](https://signal.org/docs/).
+
+We also suggest Molly as an alternative to the official Signal app.
+
+![Molly logo](/assets/img/messengers/molly.svg){ align=right }
+
+**Molly** is a Signal fork for Android that provides additional hardening and security features to Signal.
+
+[:octicons-home-16: Homepage](https://molly.im/){ .md-button }
+[:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://github.com/mollyim/mollyim-android#readme){ .card-link title=Documentation}
+[:octicons-code-16:](https://github.com/mollyim/mollyim-android){ .card-link title="Source Code" }
+[:octicons-heart-16:](https://opencollective.com/mollyim){ .card-link title=Contribute }
+
+[Signal Configuration and Hardening :hero-arrow-circle-right-fill:](./advanced/signal-configuration-hardening.md)
+
 ### Element
 
 !!! recommendation
@@ -12,7 +54,7 @@ icon: material/chat-processing
 
     **Element** is the reference client for the [Matrix](https://matrix.org/docs/guides/introduction) protocol, an [open standard](https://matrix.org/docs/spec) for secure decentralized real-time communication.
 
-    Messages and files shared in private rooms (those which require an invite) are by default E2EE as are 1 to 1 voice and video calls.
+    Messages and files shared in private rooms (those which require an invite) are by default E2EE as are one to one voice and video calls.
 
     [:octicons-home-16: Homepage](https://element.io/){ .md-button .md-button--primary }
     [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Privacy Policy" }
@@ -31,7 +73,7 @@ icon: material/chat-processing
 
 Profile pictures, reactions, and nicknames are not encrypted.
 
-Group voice and video calls are [not](https://github.com/vector-im/element-web/issues/12878) E2EE, and use Jitsi, but this is expected to change with [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Group calls have [no authentication](https://github.com/vector-im/element-web/issues/13074) currently, meaning that non room participants can also join the calls. We recommend that you do not use this feature for private meetings.
+Group voice and video calls are [not](https://github.com/vector-im/element-web/issues/12878) E2EE, and use Jitsi, but this is expected to change with [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Group calls have [no authentication](https://github.com/vector-im/element-web/issues/13074) currently, meaning that non-room participants can also join the calls. We recommend that you do not use this feature for private meetings.
 
 When using [element-web](https://github.com/vector-im/element-web), you must trust the server hosting the Element client. If your [threat model](basics/threat-modeling.md) requires stronger protection, then use a desktop or mobile client instead.
 
@@ -69,38 +111,6 @@ Oxen requested an independent audit for Session in March of 2020. The audit [con
 
 Session has a [whitepaper](https://arxiv.org/pdf/2002.04609.pdf) describing the technicals of the app and protocol.
 
-### Signal
-
-!!! recommendation
-
-    ![Signal logo](assets/img/messengers/signal.svg){ align=right }
-
-    **Signal** is a mobile app developed by Signal Messenger LLC. The app provides instant messaging, as well as voice and video calling.
-
-    All communications are E2EE. Contact lists are encrypted using your login PIN and the server does not have access to them. Personal profiles are also encrypted and only shared with contacts who add you.
-
-    [:octicons-home-16: Homepage](https://signal.org/){ .md-button .md-button--primary }
-    [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" }
-    [:octicons-info-16:](https://support.signal.org/hc/en-us){ .card-link title=Documentation}
-    [:octicons-code-16:](https://github.com/signalapp){ .card-link title="Source Code" }
-    [:octicons-heart-16:](https://signal.org/donate/){ .card-link title=Contribute }
-
-    ??? downloads
-
-        - [:fontawesome-brands-windows: Windows](https://signal.org/download)
-        - [:fontawesome-brands-apple: macOS](https://signal.org/download)
-        - [:fontawesome-brands-linux: Linux](https://signal.org/download)
-        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms)
-        - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/app/id874139669)
-
-Signal has minimal metadata when [Sealed Sender](https://signal.org/blog/sealed-sender/) is enabled. The sender address is encrypted along with the message body, and only the recipient address is visible to the server.
-
-Signal requires your phone number as a personal identifier.
-
-[Sealed Sender](https://signal.org/blog/sealed-sender/) is only enabled for people in your contacts list, but can be enabled for all recipients with the increased risk of receiving spam.
-
-The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf) in 2016. The specification for the Signal protocol can be found in their [documentation](https://signal.org/docs/).
-
 ## Other Messengers
 
 ### Briar (Android)
@@ -125,7 +135,7 @@ The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf)
 
 To add a contact on Briar, you must both add each other first. You can either exchange `briar://` links or scan a contact’s QR code if they are nearby.
 
-The client software was independently [audited](https://briarproject.org/news/2017-beta-released-security-audit/) and the anonymous routing protocol uses the Tor network which has also been audited.
+The client software was independently [audited](https://briarproject.org/news/2017-beta-released-security-audit/), and the anonymous routing protocol uses the Tor network which has also been audited.
 
 Briar has a fully [published specification](https://code.briarproject.org/briar/briar-spec).
 
@@ -170,8 +180,8 @@ When self-hosted, members of a federated server can discover and communicate wit
 
 - Allows for greater control over your own data when running your own server.
 - Allows you to choose who to trust your data with by choosing between multiple "public" servers.
-- Often allows for third party clients which can provide a more native, customized, or accessible experience.
-- Server software can be verified that it matches public source code, assuming you have access to the server or you trust the person who does (e.g., a family member)
+- Often allows for third-party clients which can provide a more native, customized, or accessible experience.
+- Server software can be verified that it matches public source code, assuming you have access to the server or you trust the person who does (e.g., a family member).
 
 **Disadvantages:**
 
@@ -185,17 +195,17 @@ When self-hosted, members of a federated server can discover and communicate wit
 
 ![P2P diagram](assets/img/layout/network-distributed.svg){ align=left }
 
-P2P messengers connect to a [distributed network](https://en.wikipedia.org/wiki/Distributed_networking) of nodes to relay a message to the recepient without a third-party server.
+P2P messengers connect to a [distributed network](https://en.wikipedia.org/wiki/Distributed_networking) of nodes to relay a message to the recipient without a third-party server.
 
 Clients (peers) usually find each other through the use of a [distributed computing](https://en.wikipedia.org/wiki/Distributed_computing) network. Examples of this include [Distributed Hash Tables](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT), used by [torrents](https://en.wikipedia.org/wiki/BitTorrent_(protocol)) and [IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) for example. Another approach is proximity based networks, where a connection is established over WiFi or Bluetooth (for example, Briar or the [Scuttlebutt](https://www.scuttlebutt.nz) social network protocol).
 
 Once a peer has found a route to its contact via any of these methods, a direct connection between them is made. Although messages are usually encrypted, an observer can still deduce the location and identity of the sender and recipient.
 
-P2P networks do not use servers, as peers communicate directly between each other, and hence cannot be self-hosted. However, some additional services may rely on centralized servers, such as user discovery or relaying offline messages, which can benefit from self-hosting.
+P2P networks do not use servers, as peers communicate directly between each other and hence cannot be self-hosted. However, some additional services may rely on centralized servers, such as user discovery or relaying offline messages, which can benefit from self-hosting.
 
 **Advantages:**
 
-- Minimal information is exposed to third parties.
+- Minimal information is exposed to third-parties.
 - Modern P2P platforms implement E2EE by default. There are no servers that could potentially intercept and decrypt your transmissions, unlike centralized and federated models.
 
 **Disadvantages:**
@@ -204,15 +214,15 @@ P2P networks do not use servers, as peers communicate directly between each othe
 - Messages can only be sent when both peers are online, however, your client may store messages locally to wait for the contact to return online.
 - Generally increases battery usage on mobile devices, because the client must stay connected to the distributed network to learn about who is online.
 - Some common messenger features may not be implemented or incompletely, such as message deletion.
-- Your IP address and that of the contacts you're communicating with may be exposed if you do not use the software in conjunction with a [VPN](vpn.md) or [self contained network](self-contained-networks.md), such as [Tor](https://www.torproject.org) or [I2P](https://geti2p.net/). Many countries have some form of mass surveillance and/or metadata retention.
+- Your IP address and that of the contacts you're communicating with may be exposed if you do not use the software in conjunction with a [VPN](vpn.md) or [self-contained network](self-contained-networks.md), such as [Tor](https://www.torproject.org) or [I2P](https://geti2p.net/). Many countries have some form of mass surveillance and/or metadata retention.
 
 ### Anonymous Routing
 
 ![Anonymous routing diagram](assets/img/layout/network-anonymous-routing.svg){ align=left }
 
-A messenger using [anonymous routing](https://doi.org/10.1007/978-1-4419-5906-5_628) hides either the identity of the sender, the receiver, or evidence that they have been communicating. Ideally, a messenger should hide all three.
+A messenger using [anonymous routing](https://doi.org/10.1007/978-1-4419-5906-5_628) hides either the identity of the sender, the receiver or evidence that they have been communicating. Ideally, a messenger should hide all three.
 
-There are [many](https://doi.org/10.1145/3182658) different ways to implement anonymous routing. One of the most famous is [onion routing](https://en.wikipedia.org/wiki/Onion_routing) (i.e. [Tor](https://en.wikipedia.org/wiki/Tor_(anonymity_network))), which communicates encrypted messages through a virtual [overlay network](https://en.wikipedia.org/wiki/Overlay_network) that hides the location of each node as well as the recipient and sender of each message. The sender and recipient never interact directly, and only meet through a secret rendezvous node, so that there is no leak of IP addresses nor physical location. Nodes cannot decrypt messages nor the final destination, only the recipient can. Each intermediary node can only decrypt a part that indicates where to send the still encrypted message next, until it arrives at the recipient who can fully decrypt it, hence the "onion layers".
+There are [many](https://doi.org/10.1145/3182658) different ways to implement anonymous routing. One of the most famous is [onion routing](https://en.wikipedia.org/wiki/Onion_routing) (i.e. [Tor](https://en.wikipedia.org/wiki/Tor_(anonymity_network))), which communicates encrypted messages through a virtual [overlay network](https://en.wikipedia.org/wiki/Overlay_network) that hides the location of each node as well as the recipient and sender of each message. The sender and recipient never interact directly and only meet through a secret rendezvous node, so that there is no leak of IP addresses nor physical location. Nodes cannot decrypt messages nor the final destination; only the recipient can. Each intermediary node can only decrypt a part that indicates where to send the still encrypted message next, until it arrives at the recipient who can fully decrypt it, hence the "onion layers."
 
 Self-hosting a node in an anonymous routing network does not provide the hoster with additional privacy benefits, but rather contributes to the whole network's resilience against identification attacks for everyone's benefit.
 

docs/router.en.md

@@ -2,7 +2,7 @@
 title: "Router Firmware"
 icon: material/router-wireless
 ---
-Below are a few alternative operating systems, that can be used on routers, Wi-Fi access points etc.
+Below are a few alternative operating systems, that can be used on routers, Wi-Fi access points, etc.
 
 ## OpenWrt
 
@@ -27,7 +27,7 @@ You can consult OpenWrt's [table of hardware](https://openwrt.org/toh/start) to
     ![pfSense logo](assets/img/router/pfsense.svg#only-light){ align=right }
     ![pfSense logo](assets/img/router/pfsense-dark.svg#only-dark){ align=right }
 
-    pfSense is an open source firewall/router computer software distribution based on FreeBSD. It is installed on a computer to make a dedicated firewall/router for a network and is noted for its reliability and offering features often only found in expensive commercial firewalls. pfSense is commonly deployed as a perimeter firewall, router, wireless access point, DHCP server, DNS server, and VPN endpoint.
+    pfSense is an open-source firewall/router computer software distribution based on FreeBSD. It is installed on a computer to make a dedicated firewall/router for a network and is noted for its reliability and offering features often only found in expensive commercial firewalls. pfSense is commonly deployed as a perimeter firewall, router, wireless access point, DHCP server, DNS server, and VPN endpoint.
 
     [:octicons-home-16: Homepage](https://www.pfsense.org){ .md-button .md-button--primary }
     [:octicons-info-16:](https://docs.netgate.com/pfsense/en/latest/){ .card-link title=Documentation}

docs/search-engines.en.md

@@ -18,7 +18,7 @@ Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org/) if your thr
 
     Brave Search includes unique features such as Discussions, which highlights conversation-focused results—such as forum posts.
 
-    We recommend you disable [Anonymous usage metrics](https://search.brave.com/help/usage-metrics), this option is enabled by default and can be disabled within settings.
+    We recommend you disable [Anonymous usage metrics](https://search.brave.com/help/usage-metrics) as it is enabled by default and can be disabled within settings.
 
     [:octicons-home-16: Homepage](https://search.brave.com/){ .md-button .md-button--primary }
     [:pg-tor:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title=Onion }
@@ -31,13 +31,10 @@ Brave Search is based in the :flag_us: United States. Their [privacy policy](htt
 
 !!! recommendation
 
-    ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg#only-light){ align=right }
-    ![DuckDuckGo logo](assets/img/search-engines/duckduckgo-dark.svg#only-dark){ align=right }
+    ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ align=right }
 
     **DuckDuckGo** is one of the more mainstream private search engine options. Notable DuckDuckGo search features include [bangs](https://duckduckgo.com/bang) and many [instant answers](https://help.duckduckgo.com/duckduckgo-help-pages/features/instant-answers-and-other-features/). The search engine relies on a commercial Bing API to serve most results, but it does use numerous [other sources](https://help.duckduckgo.com/results/sources/) for instant answers and other non-primary results.
 
-    While DuckDuckGo’s primary service is its search engine, the company has recently been branching out by offering various other services and products. This includes their web browsers, email relay service, etc.
-
     DuckDuckGo is the default search engine for the Tor Browser and is one of the few available options on Apple’s Safari browser.
 
     [:octicons-home-16: Homepage](https://duckduckgo.com){ .md-button .md-button--primary }
@@ -47,7 +44,7 @@ Brave Search is based in the :flag_us: United States. Their [privacy policy](htt
 
 DuckDuckGo is based in the :flag_us: United States. Their [privacy policy](https://duckduckgo.com/privacy) states they **do** log your searches for product improvement purposes, but not your IP address or any other personally identifying information.
 
-DuckDuckGo offers two other [versions](https://help.duckduckgo.com/features/non-javascript/) of their search engine, both of which do not require JavaScript. These versions do lack features, however. These versions can also be used in conjunction with their [Tor onion address](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/) by appending [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) or [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) for the respective version.
+DuckDuckGo offers two [other versions](https://help.duckduckgo.com/features/non-javascript/) of their search engine, both of which do not require JavaScript. These versions do lack features, however. These versions can also be used in conjunction with their [Tor onion address](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/) by appending [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) or [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) for the respective version.
 
 ## SearXNG
 
@@ -74,16 +71,18 @@ When you are using a SearXNG instance, be sure to go read their privacy policy.
     ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ align=right }
     ![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right }
 
-    **Startpage** is a private search engine known for serving Google search results. Startpage's flagship feature is [Anonymous View](https://www.startpage.com/en/anonymous-view/), which puts forth efforts to standardize user activity to make it more difficult to be uniquely identified. Unlike the name suggests, the feature should not be relied upon for anonymity. If you are looking for anonymity, use the Tor Browser instead. The feature can be useful for hiding some network and browser properties—see the [technical document](https://support.startpage.com/index.php?/Knowledgebase/Article/View/1185/0/the-anonymous-view-proxy---technical-details=undefined) for more details.
-
-    Startpage has been known to refuse access to those using a VPN service or Tor, so your mileage may vary.
+    **Startpage** is a private search engine known for serving Google search results.  One of Startpage's unique features is the [Anonymous View](https://www.startpage.com/en/anonymous-view/), which puts forth efforts to standardize user activity to make it more difficult to be uniquely identified. The feature can be useful for hiding [some](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) network and browser properties. Unlike the name suggests, the feature should not be relied upon for anonymity. If you are looking for anonymity, use the [Tor Browser](browsers.md#tor-browser) instead.
 
     [:octicons-home-16: Homepage](https://www.startpage.com){ .md-button .md-button--primary }
     [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Privacy Policy" }
-    [:octicons-info-16:](https://support.startpage.com/index.php?/Knowledgebase/List){ .card-link title=Documentation}
+    [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentation}
+
+!!! warning
+
+    Startpage regularly limits service access to certain IP addresses, such as IPs reserved for VPNs or Tor. [DuckDuckGo](#duckduckgo) and [Brave Search](#brave-search) are friendlier options if your threat model requires hiding your IP address from the search provider.
 
 Startpage is based in the :flag_nl: Netherlands. According to their [privacy policy](https://www.startpage.com/en/privacy-policy/), they log details such as: operating system, type of browser, and language. They do not log your IP address, search queries, or other personally identifying information.
 
-Startpage's majority shareholder is System1 who is an adtech company. We don't believe that to be an issue as they have an distinctly separate [privacy policy](https://system1.com/terms/privacy-policy). The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) to clear up any concerns with System1's sizeable investment into the service. We were satisfied with the answers we received.
+Startpage's majority shareholder is System1 who is an adtech company. We don't believe that to be an issue as they have a distinctly separate [privacy policy](https://system1.com/terms/privacy-policy). The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) to clear up any concerns with System1's sizeable investment into the service. We were satisfied with the answers we received.
 
 --8<-- "includes/abbreviations.en.md"

docs/tools.en.md

@@ -9,37 +9,37 @@ If you're looking for a specific solution to something, these are the hardware a
 
 If you want assistance figuring out the best privacy tools and alternative programs for your workload/use-case, start a discussion in our [Reddit](https://www.reddit.com/r/privacyguides) or [Matrix](https://matrix.to/#/#privacyguides:matrix.org) communities!
 
-For your convenience, everything we recommend is listed below with a link to the project's homepage. For more details about each project, why they were chosen, and additional tips or tricks we recommend, click the "Learn more" link in each section.
+For more details about each project, why they were chosen, and additional tips or tricks we recommend, click the "Learn more" link in each section, or click on the recommendation itself to be taken to that specific section of the page.
 
 ## Web Browsers
 
 <div class="grid cards" markdown>
 
-- ![Tor Browser logo](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](browsers.md#tor-browser)
-- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox (Desktop)](browsers.md#firefox)
-- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave (Desktop)](browsers.md#brave)
-- ![Bromite logo](assets/img/browsers/bromite.svg){ .twemoji } [Bromite (Android)](browsers.md#bromite)
-- ![Safari logo](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](browsers.md#safari)
+- ![Tor Browser logo](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](desktop-browsers.md#tor-browser)
+- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox (Desktop)](desktop-browsers.md#firefox)
+- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave (Desktop)](desktop-browsers.md#brave)
+- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave (Android)](mobile-browsers.md#brave-android)
+- ![Safari logo](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](mobile-browsers.md#safari)
 
 </div>
 
-[Learn more :hero-arrow-circle-right-fill:](browsers.md)
+[Learn more :hero-arrow-circle-right-fill:](desktop-browsers.md)
 
 **Additional Resources:**
 
 <div class="grid cards annotate" markdown>
 
-- ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](browsers.md#ublock-origin)
-- ![AdGuard logo](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard for iOS](browsers.md#adguard-for-ios)
-- ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ .twemoji }![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ .twemoji } [Snowflake](browsers.md#snowflake) (1)
-- ![ToS;DR logo](assets/img/browsers/terms_of_service_didnt_read.svg){ .twemoji } [Terms of Service; Didn't Read](browsers.md#terms-of-service-didnt-read) (2)
+- ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](desktop-browsers.md#ublock-origin)
+- ![AdGuard logo](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard for iOS](mobile-browsers.md#adguard-for-ios)
+- ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ .twemoji }![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ .twemoji } [Snowflake](desktop-browsers.md#snowflake) (1)
+- ![ToS;DR logo](assets/img/browsers/terms_of_service_didnt_read.svg){ .twemoji } [Terms of Service; Didn't Read](desktop-browsers.md#terms-of-service-didnt-read) (2)
 
 </div>
 
 1. Snowflake does not increase privacy, however it allows you to easily contribute to the Tor network and help people in censored networks achieve better privacy.
 2. We do not recommend installing ToS;DR as a browser extension. The same information is provided on their website.
 
-[Learn more :hero-arrow-circle-right-fill:](browsers.md#additional-resources)
+[Learn more :hero-arrow-circle-right-fill:](desktop-browsers.md#additional-resources)
 
 ## Operating Systems
 
@@ -48,7 +48,6 @@ For your convenience, everything we recommend is listed below with a link to the
 <div class="grid cards" markdown>
 
 - ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](android.md#grapheneos)
-- ![CalyxOS logo](assets/img/android/calyxos.svg){ .twemoji } [CalyxOS](android.md#calyxos)
 - ![DivestOS logo](assets/img/android/divestos.svg){ .twemoji } [DivestOS](android.md#divestos)
 
 </div>
@@ -110,7 +109,6 @@ For your convenience, everything we recommend is listed below with a link to the
 - ![Cryptee logo](assets/img/cloud/cryptee.svg#only-light){ .twemoji }![Cryptee logo](assets/img/cloud/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](cloud.md#cryptee)
 - ![Nextcloud logo](assets/img/cloud/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](cloud.md#nextcloud)
 - ![Proton Drive logo](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](cloud.md#proton-drive)
-- ![Tahoe-LAFS logo](assets/img/cloud/tahoe-lafs.svg#only-light){ .twemoji }![Tahoe-LAFS logo](assets/img/cloud/tahoe-lafs-dark.svg#only-dark){ .twemoji } [Tahoe-LAFS (Advanced)](cloud.md#tahoe-lafs)
 
 </div>
 
@@ -151,10 +149,10 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![Mailbox.org logo](assets/img/email/mini/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg)
 - ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#protonmail)
-- ![StartMail logo](assets/img/email/mini/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/mini/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail)
-- ![Tutanota logo](assets/img/email/mini/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota)
+- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg)
+- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail)
+- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota)
 
 </div>
 
@@ -164,8 +162,8 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![AnonAddy logo](assets/img/email/mini/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/mini/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy)
-- ![SimpleLogin logo](assets/img/email/mini/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin)
+- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy)
+- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin)
 
 </div>
 
@@ -187,9 +185,9 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 <div class="grid cards" markdown>
 
 - ![Brave Search logo](assets/img/search-engines/brave-search.svg){ .twemoji } [Brave Search](search-engines.md#brave-search)
-- ![DuckDuckGo logo](assets/img/search-engines/mini/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo)
-- ![SearXNG logo](assets/img/search-engines/mini/searxng-wordmark.svg){ .twemoji } [SearXNG](search-engines.md#searxng)
-- ![Startpage logo](assets/img/search-engines/mini/startpage.svg#only-light){ .twemoji }![Startpage logo](assets/img/search-engines/mini/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage)
+- ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo)
+- ![SearXNG logo](assets/img/search-engines/searxng.svg){ .twemoji } [SearXNG](search-engines.md#searxng)
+- ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ .twemoji }![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage)
 
 </div>
 
@@ -209,9 +207,9 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn)
-- ![Mullvad logo](assets/img/vpn/mini/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad)
 - ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#protonvpn)
+- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn)
+- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad)
 
 </div>
 
@@ -223,11 +221,9 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![DecSync CC logo](assets/img/calendar-contacts/decsync.svg){ .twemoji } [DecSync CC](calendar-contacts.md#decsync-cc)
+- ![Tutanota logo](assets/img/calendar-contacts/tutanota.svg){ .twemoji } [Tutanota](calendar-contacts.md#tutanota)
 - ![EteSync logo](assets/img/calendar-contacts/etesync.svg){ .twemoji } [EteSync](calendar-contacts.md#etesync)
-- ![Nextcloud logo](assets/img/calendar-contacts/nextcloud.svg){ .twemoji } [Nextcloud](calendar-contacts.md#nextcloud)
-- ![Proton Calendar logo](assets/img/calendar-contacts/proton-calendar.svg){ .twemoji } [Proton Calendar (SaaS)](calendar-contacts.md#proton-calendar)
-- ![Tutanota logo](assets/img/calendar-contacts/tutanota.svg){ .twemoji } [Tutanota (SaaS)](calendar-contacts.md#tutanota)
+- ![Proton Calendar logo](assets/img/calendar-contacts/proton-calendar.svg){ .twemoji } [Proton Calendar](calendar-contacts.md#proton-calendar)
 
 </div>
 
@@ -264,7 +260,7 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 [Learn more :hero-arrow-circle-right-fill:](email-clients.md)
 
-### Encryption Tools
+### Encryption Software
 
 ??? info "Operating System Disk Encryption"
 
@@ -302,10 +298,9 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![Magic Wormhole logo](assets/img/file-sharing-sync/magic_wormhole.png){ .twemoji } [Magic Wormhole](file-sharing.md#magic-wormhole)
+- ![Bitwarden logo](assets/img/file-sharing-sync/bitwarden.svg){ .twemoji } [Bitwarden](file-sharing.md#bitwarden-send)
 - ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare)
 - ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox)
-- ![git-annex logo](assets/img/file-sharing-sync/gitannex.svg){ .twemoji } [git-annex](file-sharing.md#git-annex)
 - ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing)
 
 </div>
@@ -318,9 +313,8 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 - ![ExifCleaner logo](assets/img/metadata-removal/exifcleaner.svg){ .twemoji } [ExifCleaner](metadata-removal-tools.md#exifcleaner)
 - ![MAT2 logo](assets/img/metadata-removal/mat2.svg){ .twemoji } [MAT2](metadata-removal-tools.md#mat2)
-- ![Imagepipe logo](assets/img/metadata-removal/imagepipe.svg){ .twemoji } [Imagepipe (Android)](metadata-removal-tools.md#imagepipe)
+- ![ExifEraser logo](assets/img/metadata-removal/exiferaser.svg){ .twemoji } [ExifEraser (Android)](metadata-removal-tools.md#exiferaser-android)
 - ![Metapho logo](assets/img/metadata-removal/metapho.jpg){ .twemoji } [Metapho (iOS)](metadata-removal-tools.md#metapho)
-- ![Scrambled Exif logo](assets/img/metadata-removal/scrambled-exif.svg){ .twemoji } [Scrambled Exif (Android)](metadata-removal-tools.md#scrambled-exif)
 - ![ExifTool logo](assets/img/metadata-removal/exiftool.png){ .twemoji } [ExifTool (CLI)](metadata-removal-tools.md#exiftool)
 
 </div>
@@ -331,8 +325,8 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey-librem-key)
 - ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey)
+- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey-librem-key)
 - ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator)
 - ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp)
 
@@ -347,7 +341,7 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 - ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](passwords.md#keepassdx)
 - ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc)
 - ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](passwords.md#bitwarden)
-- ![Vaultwarden logo](assets/img/password-management/vaultwarden.svg#only-light){ .twemoji }![Vaultwarden logo](assets/img/password-management/vaultwarden-dark.svg#only-dark){ .twemoji } [Vaultwarden (Bitwarden Server)](passwords.md#vaultwarden)
+- ![Vaultwarden logo](assets/img/password-management/vaultwarden.svg#only-light){ .twemoji }![Vaultwarden logo](assets/img/password-management/vaultwarden-dark.svg#only-dark){ .twemoji } [Vaultwarden (Bitwarden Server)](passwords.md#bitwarden)
 - ![Psono logo](assets/img/password-management/psono.svg){ .twemoji } [Psono](passwords.md#psono)
 - ![gopass logo](assets/img/password-management/gopass.svg){ .twemoji } [gopass](passwords.md#gopass)
 
@@ -361,11 +355,8 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 - ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice)
 - ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice)
-- ![Framadate logo](assets/img/productivity/framadate.svg){ .twemoji } [Framadate (Appointment Planning)](productivity.md#framadate)
 - ![CryptPad logo](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad)
 - ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin)
-- ![Write.as logo](assets/img/productivity/writeas.svg#only-light){ .twemoji }![Write.as logo](assets/img/productivity/writeas-dark.svg#only-dark){ .twemoji } [Write.as (Blogging Platform)](productivity.md#writeas)
-- ![VSCodium logo](assets/img/productivity/vscodium.svg){ .twemoji } [VSCodium (Source-Code Editor)](productivity.md#vscodium)
 
 </div>
 
@@ -375,9 +366,10 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
+- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal)
+- ![Molly logo](assets/img/messengers/molly.svg){ .twemoji } [Molly (Hardened Signal fork for Android)](/advanced/signal-configuration-hardening/#hardening-signal-with-molly-on-android)
 - ![Element logo](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element)
 - ![Session logo](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session)
-- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal)
 - ![Briar logo](assets/img/messengers/briar.svg){ .twemoji } [Briar (Android)](real-time-communication.md#briar)
 
 </div>

docs/video-streaming.en.md

@@ -12,7 +12,7 @@ The primary threat when using a video streaming platform is that your streaming
 
     ![FreeTube logo](assets/img/video-streaming/freetube.svg){ align=right }
 
-    **FreeTube** is a free and open source desktop application for [YouTube](https://youtube.com). When using FreeTube, your subscription list and playlists are saved locally on your device.
+    **FreeTube** is a free and open-source desktop application for [YouTube](https://youtube.com). When using FreeTube, your subscription list and playlists are saved locally on your device.
 
     By default, FreeTube blocks all YouTube advertisements. In addition, FreeTube optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments.
 
@@ -31,7 +31,7 @@ The primary threat when using a video streaming platform is that your streaming
 
 !!! Warning
 
-    When using FreeTube, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io), or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address.
+    When using FreeTube, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address.
 
 ### LBRY
 
@@ -72,7 +72,7 @@ You can disable *Save hosting data to help the LBRY network* option in :gear: **
 
     ![Newpipe logo](assets/img//video-streaming/newpipe.svg){ align=right }
 
-    **NewPipe** is a free and open source Android application for [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com), and [PeerTube](https://joinpeertube.org/) (1).
+    **NewPipe** is a free and open-source Android application for [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com), and [PeerTube](https://joinpeertube.org/) (1).
 
     Your subscription list and playlists are saved locally on your Android device.
 
@@ -105,7 +105,7 @@ It also has integration with [Return YouTube Dislike](https://returnyoutubedisli
 
 This fork is not endorsed by or affiliated with the upstream project. The NewPipe team has [rejected](https://github.com/TeamNewPipe/NewPipe/pull/3205) integration with SponsorBlock and thus this fork is created to provide this functionality.
 
-## Web-based Frontends
+## Web-based frontends
 
 ### Invidious
 
@@ -114,7 +114,7 @@ This fork is not endorsed by or affiliated with the upstream project. The NewPip
     ![Invidious logo](assets/img/video-streaming/invidious.svg#only-light){ align=right }
     ![Invidious logo](assets/img/video-streaming/invidious-dark.svg#only-dark){ align=right }
 
-    **Invidious** is a free and open source frontend for YouTube that is also self-hostable.
+    **Invidious** is a free and open-source frontend for YouTube that is also self-hostable.
 
     There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support.
 
@@ -126,11 +126,11 @@ This fork is not endorsed by or affiliated with the upstream project. The NewPip
 
 !!! warning
 
-    Invidious does not proxy video streams by default. Videos watched through Invidious will still make direct connections to Google's servers (e.g. `googlevideo.com`); however, some instances support video proxying—simply enable *Proxy videos* within the instances's settings or add `&local=true` to the URL.
+    Invidious does not proxy video streams by default. Videos watched through Invidious will still make direct connections to Google's servers (e.g. `googlevideo.com`); however, some instances support video proxying—simply enable *Proxy videos* within the instances' settings or add `&local=true` to the URL.
 
 !!! tip
 
-    Invidious is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. It does not provide privacy by itself and we don’t recommend logging into any accounts.
+    Invidious is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. It does not provide privacy by itself, and we don’t recommend logging into any accounts.
 
 When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Invidious, as other peoples' usage will be linked to your hosting.
 
@@ -143,7 +143,7 @@ When you are using an Invidious instance, make sure to read the privacy policy o
     ![Librarian logo](assets/img/video-streaming/librarian.svg#only-light){ align=right }
     ![Librarian logo](assets/img/video-streaming/librarian-dark.svg#only-dark){ align=right }
 
-    **Librarian** is a free and open source frontend for the LBRY/Odysee video sharing network that is also self-hostable.
+    **Librarian** is a free and open-source frontend for the LBRY/Odysee video sharing network that is also self-hostable.
     
     There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support.
 
@@ -170,7 +170,7 @@ When you are using a Librarian instance, make sure to read the privacy policy of
 
     ![Piped logo](assets/img/video-streaming/piped.svg){ align=right }
 
-    **Piped** is a free and open source frontend for YouTube that is also self-hostable.
+    **Piped** is a free and open-source frontend for YouTube that is also self-hostable.
 
     Piped requires JavaScript in order to function and there are a number of public instances.
 
@@ -182,7 +182,7 @@ When you are using a Librarian instance, make sure to read the privacy policy of
 
 !!! tip
 
-    Piped is useful if you want to use [SponsorBlock](https://sponsor.ajay.app) without installing an extension or to access age-restricted content without an account. It does not provide privacy by itself and we don’t recommend logging into any accounts.
+    Piped is useful if you want to use [SponsorBlock](https://sponsor.ajay.app) without installing an extension or to access age-restricted content without an account. It does not provide privacy by itself, and we don’t recommend logging into any accounts.
 
 When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Piped, as other peoples' usage will be linked to your hosting.
 

docs/vpn.en.md

@@ -13,7 +13,7 @@ Find a no-logging VPN operator who isn’t out to sell or read your web traffic.
 
     If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices.
 
-    [Download Tor](https://www.torproject.org/){ .md-button .md-button--primary } [Tor Myths & FAQ](/basics/tor-overview.md){ .md-button }
+    [Download Tor](https://www.torproject.org/){ .md-button .md-button--primary } [Tor Myths & FAQ](basics/tor-overview.md){ .md-button }
 
 ??? question "When are VPNs useful?"
 
@@ -27,6 +27,61 @@ Find a no-logging VPN operator who isn’t out to sell or read your web traffic.
 
     Our recommended providers use encryption, accept Monero, support WireGuard & OpenVPN, and have a no logging policy. Read our [full list of criteria](#our-criteria) for more information.
 
+### Proton VPN
+
+!!! recommendation annotate
+
+    ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ align=right }
+
+    **Proton VPN** is a strong contender in the VPN space, and they have been in operation since 2016. Proton AG is based in Switzerland and offers a limited free tier, as well as a more featured premium option.
+
+    **Free** — **Plus Plan USD $71.88/year** (1)
+
+    [:octicons-home-16: Homepage](https://protonvpn.com/){ .md-button .md-button--primary }
+    [:octicons-eye-16:](https://protonvpn.com/privacy-policy){ .card-link title="Privacy Policy" }
+    [:octicons-info-16:](https://protonvpn.com/support/){ .card-link title=Documentation}
+    [:octicons-code-16:](https://github.com/ProtonVPN){ .card-link title="Source Code" }
+
+1. A further 10% is discounted with a 2-year subscription ($119.76).
+
+??? check annotate "63 Countries"
+
+    Proton VPN has [servers in 63 countries](https://protonvpn.com/vpn-servers) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination.
+
+    We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server).
+
+1. As of 2022/05/17
+
+??? check "Independently Audited"
+
+    As of January 2020 Proton VPN has undergone an independent audit by SEC Consult. SEC Consult found some medium and low risk vulnerabilities in Proton VPN's Windows, Android, and iOS applications, all of which were "properly fixed" by Proton VPN before the reports were published. None of the issues identified would have provided an attacker remote access to your device or traffic. You can view individual reports for each platform at [protonvpn.com](https://protonvpn.com/blog/open-source/). In April 2022 Proton VPN underwent [another audit](https://protonvpn.com/blog/no-logs-audit/) and the report was [produced by Securitum](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf).
+
+??? check "Open-Source Clients"
+
+    Proton VPN provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/ProtonVPN).
+
+??? check "Accepts Cash"
+
+    Proton VPN, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, and **cash/local currency** as anonymous forms of payment.
+
+??? check "WireGuard Support"
+
+    Proton VPN mostly supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that utilizes state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant.
+
+    Proton VPN [recommends](https://protonvpn.com/blog/wireguard/) the use of WireGuard with their service. On Proton VPN's Windows, macOS, iOS, Android, ChromeOS, and Android TV apps, WireGuard is the default protocol; however, [support](https://protonvpn.com/support/how-to-change-vpn-protocols/) for the protocol is not present in their Linux app.
+
+??? warning "Remote Port Forwarding"
+
+    Proton VPN currently only supports remote [port forwarding](https://protonvpn.com/support/port-forwarding/) on Windows, which may impact some applications. Especially Peer-to-peer applications like Torrent clients.
+
+??? check "Mobile Clients"
+
+    In addition to providing standard OpenVPN configuration files, Proton VPN has mobile clients for [App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085) and [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US) allowing for easy connections to their servers. The mobile client on Android is also available in [F-Droid](https://f-droid.org/en/packages/ch.protonvpn.android), which ensures that it is compiled with [reproducible builds](https://www.f-droid.org/en/2019/05/05/trust-privacy-and-free-software.html).
+
+??? info "Additional Functionality"
+
+    Proton VPN has their own servers and datacenters in Switzerland, Iceland and Sweden. They offer adblocking and known malware domains blocking with their DNS service. Additionally, Proton VPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using [the official Tor Browser](https://www.torproject.org/) for this purpose.
+
 ### IVPN
 
 !!! recommendation
@@ -44,7 +99,7 @@ Find a no-logging VPN operator who isn’t out to sell or read your web traffic.
 
 ??? check annotate "32 Countries"
 
-    IVPN has [servers in 32 countries](https://www.ivpn.net/server-locations) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (less hops) to the destination.
+    IVPN has [servers in 32 countries](https://www.ivpn.net/server-locations) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination.
 
     We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server).
 
@@ -52,11 +107,11 @@ Find a no-logging VPN operator who isn’t out to sell or read your web traffic.
 
 ??? check "Independently Audited"
 
-    IVPN has undergone a [no-logging audit from Cure53](https://cure53.de/audit-report_ivpn.pdf) which concluded in agreement with IVPN's no-logging claim. IVPN has also completed a [comprehensive pentest report Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) in January 2020. IVPN has also said they plan to have [annual reports](https://www.ivpn.net/blog/independent-security-audit-concluded) in the future.
+    IVPN has undergone a [no-logging audit from Cure53](https://cure53.de/audit-report_ivpn.pdf) which concluded in agreement with IVPN's no-logging claim. IVPN has also completed a [comprehensive pentest report Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) in January 2020. IVPN has also said they plan to have [annual reports](https://www.ivpn.net/blog/independent-security-audit-concluded) in the future. A further review was conducted [in April 2022](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/) and was produced by Cure53 [on their website](https://cure53.de/pentest-report_IVPN_2022.pdf).
 
-??? check "Open Source Clients"
+??? check "Open-Source Clients"
 
-    As of Feburary 2020 [IVPN applications are now open source](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Source code can be obtained from their [GitHub organization](https://github.com/ivpn).
+    As of February 2020 [IVPN applications are now open-source](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Source code can be obtained from their [GitHub organization](https://github.com/ivpn).
 
 ??? check "Accepts Cash and Monero"
 
@@ -84,8 +139,7 @@ Find a no-logging VPN operator who isn’t out to sell or read your web traffic.
 
 !!! recommendation
 
-    ![Mullvad logo](assets/img/vpn/mullvad.svg#only-light){ align=right }
-    ![Mullvad logo](assets/img/vpn/mullvad-dark.svg#only-dark){ align=right }
+    ![Mullvad logo](assets/img/vpn/mullvad.svg){ align=right }
 
     **Mullvad** is a fast and inexpensive VPN with a serious focus on transparency and security. They have been in operation since **2009**. Mullvad is based in Sweden and does not have a free trial.
 
@@ -99,7 +153,7 @@ Find a no-logging VPN operator who isn’t out to sell or read your web traffic.
 
 ??? check annotate "38 Countries"
 
-    Mullvad has [servers in 38 countries](https://mullvad.net/servers/) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (less hops) to the destination.
+    Mullvad has [servers in 38 countries](https://mullvad.net/servers/) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination.
 
     We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server).
 
@@ -115,9 +169,9 @@ Find a no-logging VPN operator who isn’t out to sell or read your web traffic.
 
     > The results of this May-June 2020 project targeting the Mullvad complex are quite positive. [...] The overall application ecosystem used by Mullvad leaves a sound and structured impression. The overall structure of the application makes it easy to roll out patches and fixes in a structured manner. More than anything, the findings spotted by Cure53 showcase the importance of constantly auditing and re-assessing the current leak vectors, in order to always ensure privacy of the end-users. With that being said, Mullvad does a great job protecting the end-user from common PII leaks and privacy related risks.
 
-    In 2021 an infrastructure audit [was announced](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) was made available on Cure53's website.
+    In 2021 an infrastructure audit [was announced](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) was made available on Cure53's website. Another report was commissioned [in June 2022](https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data/) and is available on [Assured's website](https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf).
 
-??? check "Open Source Clients"
+??? check "Open-Source Clients"
 
     Mullvad provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/mullvad/mullvadvpn-app).
 
@@ -141,66 +195,11 @@ Find a no-logging VPN operator who isn’t out to sell or read your web traffic.
 
 ??? check "Mobile Clients"
 
-    Mullvad has published [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) and [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) clients, both supporting an easy-to use interface as opposed to requiring you to manually configure your WireGuard connection. The mobile client on Android is also available in [F-Droid](https://f-droid.org/packages/net.mullvad.mullvadvpn), which ensures that it is compiled with [reproducible builds](https://www.f-droid.org/en/2019/05/05/trust-privacy-and-free-software.html).
+    Mullvad has published [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) and [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) clients, both supporting an easy-to-use interface as opposed to requiring you to manually configure your WireGuard connection. The mobile client on Android is also available in [F-Droid](https://f-droid.org/packages/net.mullvad.mullvadvpn), which ensures that it is compiled with [reproducible builds](https://www.f-droid.org/en/2019/05/05/trust-privacy-and-free-software.html).
 
 ??? info "Additional Functionality"
 
-    Mullvad is very transparent about which nodes they [own or rent](https://mullvad.net/en/servers/). They use [ShadowSocks](https://shadowsocks.org/en/index.html) in their ShadowSocks + OpenVPN configuration, making them more resistant against firewalls with [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) trying to block VPNs. Supposedly, [China has to use a different method to block ShadowSocks servers](https://github.com/net4people/bbs/issues/22). Mullvad's website is also accessible via Tor at [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion).
-
-### Proton VPN
-
-!!! recommendation annotate
-
-    ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ align=right }
-
-    **Proton VPN** is a strong contender in the VPN space, and they have been in operation since 2016. Proton AG is based in Switzerland and offers a limited free tier, as well as a more featured premium option.
-
-    **Free** — **Plus Plan USD $71.88/year** (1)
-
-    [:octicons-home-16: Homepage](https://protonvpn.com/){ .md-button .md-button--primary }
-    [:octicons-eye-16:](https://protonvpn.com/privacy-policy){ .card-link title="Privacy Policy" }
-    [:octicons-info-16:](https://protonvpn.com/support/){ .card-link title=Documentation}
-    [:octicons-code-16:](https://github.com/ProtonVPN){ .card-link title="Source Code" }
-
-1. A further 10% is discounted with a 2-year subscription ($119.76).
-
-??? check annotate "63 Countries"
-
-    Proton VPN has [servers in 63 countries](https://protonvpn.com/vpn-servers) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (less hops) to the destination.
-
-    We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server).
-
-1. As of 2022/05/17
-
-??? check "Independently Audited"
-
-    As of January 2020 Proton VPN has undergone an independent audit by SEC Consult. SEC Consult found some medium and low risk vulnerabilities in Proton VPN's Windows, Android, and iOS applications, all of which were "properly fixed" by Proton VPN before the reports were published. None of the issues identified would have provided an attacker remote access to your device or traffic. You can view individual reports for each platform at [protonvpn.com](https://protonvpn.com/blog/open-source/).
-
-??? check "Open Source Clients"
-
-    Proton VPN provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/Proton VPN).
-
-??? check "Accepts Cash"
-
-    Proton VPN, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, and **cash/local currency** as anonymous forms of payment.
-
-??? check "WireGuard Support"
-
-    Proton VPN mostly supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that utilizes state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant.
-
-    Proton VPN [recommends](https://protonvpn.com/blog/wireguard/) the use of WireGuard with their service. On Proton VPN's Windows, macOS, iOS, Android, ChromeOS, and Android TV apps, WireGuard is the default protocol; however, [support](https://protonvpn.com/support/how-to-change-vpn-protocols/) for the protocol is not present in their Linux app.
-
-??? warning "Remote Port Forwarding"
-
-    Proton VPN currently only supports remote [port forwarding](https://protonvpn.com/support/port-forwarding/) on Windows, which may impact some applications. Especially Peer-to-Peer applications like Torrent clients.
-
-??? check "Mobile Clients"
-
-    In addition to providing standard OpenVPN configuration files, Proton VPN has mobile clients for [App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085) and [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US) allowing for easy connections to their servers. The mobile client on Android is also available in [F-Droid](https://f-droid.org/en/packages/ch.protonvpn.android), which ensures that it is compiled with [reproducible builds](https://www.f-droid.org/en/2019/05/05/trust-privacy-and-free-software.html).
-
-??? info "Additional Functionality"
-
-    Proton VPN have their own servers and datacenters in Switzerland, Iceland and Sweden. They offer adblocking and known malware domains blocking with their DNS service. Additionally, Proton VPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using [the official Tor Browser](https://www.torproject.org/) for this purpose.
+    Mullvad is very transparent about which nodes they [own or rent](https://mullvad.net/en/servers/). They use [ShadowSocks](https://shadowsocks.org/) in their ShadowSocks + OpenVPN configuration, making them more resistant against firewalls with [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) trying to block VPNs. Supposedly, [China has to use a different method to block ShadowSocks servers](https://github.com/net4people/bbs/issues/22). Mullvad's website is also accessible via Tor at [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion).
 
 ## Our Criteria
 
@@ -219,7 +218,7 @@ We require all our recommended VPN providers to provide OpenVPN configuration fi
 - Support for strong protocols such as WireGuard & OpenVPN.
 - Killswitch built in to clients.
 - Multihop support. Multihopping is important to keep data private in case of a single node compromise.
-- If VPN clients are provided, they should be [open source](https://en.wikipedia.org/wiki/Open_source), like the VPN software they generally have built into them. We believe that [source code](https://en.wikipedia.org/wiki/Source_code) availability provides greater transparency about what your device is actually doing. We like to see these applications [available in F-Droid](https://www.f-droid.org/en/2019/05/05/trust-privacy-and-free-software.html).
+- If VPN clients are provided, they should be [open-source](https://en.wikipedia.org/wiki/Open_source), like the VPN software they generally have built into them. We believe that [source code](https://en.wikipedia.org/wiki/Source_code) availability provides greater transparency about what your device is actually doing. We like to see these applications [available in F-Droid](https://www.f-droid.org/en/2019/05/05/trust-privacy-and-free-software.html).
 
 **Best Case:**
 
@@ -227,7 +226,7 @@ We require all our recommended VPN providers to provide OpenVPN configuration fi
 - Killswitch with highly configurable options (enable/disable on certain networks, on boot, etc.)
 - Easy-to-use VPN clients
 - Supports [IPv6](https://en.wikipedia.org/wiki/IPv6). We expect that servers will allow incoming connections via IPv6 and allow you to access services hosted on IPv6 addresses.
-- Capability of [remote port forwarding](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) assists in creating connections when using P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)) filesharing software, Freenet, or hosting a server (e.g., Mumble).
+- Capability of [remote port forwarding](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) assists in creating connections when using P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)) file sharing software, Freenet, or hosting a server (e.g., Mumble).
 
 ### Privacy
 
@@ -279,15 +278,15 @@ With the VPN providers we recommend we like to see responsible marketing.
 
 **Minimum to Qualify:**
 
-- Must self-host analytics (no Google Analytics etc). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for people who want to opt-out.
+- Must self-host analytics (i.e., no Google Analytics). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for people who want to opt-out.
 
 Must not have any marketing which is irresponsible:
 
-- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, eg:
-  - Reusing personal information eg. (email accounts, unique pseudonyms etc) that they accessed without anonymity software (Tor, VPN etc)
-  - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint)
-- Claim that a single circuit VPN is "more anonymous" than Tor, which is a circuit of 3 or more hops that regularly changes.
-- Use responsible language, eg it is okay to say that a VPN is "disconnected" or "not connected", however claiming that someone is "exposed", "vulnerable" or "compromised" is needless use of alarming language that may be incorrect. For example, that person might simply be on another VPN provider's service or using Tor.
+- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.:
+    - Reusing personal information (e.g., email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc.)
+    - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint)
+- Claim that a single circuit VPN is "more anonymous" than Tor, which is a circuit of three or more hops that regularly changes.
+- Use responsible language: i.e., it is okay to say that a VPN is "disconnected" or "not connected", however claiming that someone is "exposed", "vulnerable" or "compromised" is needless use of alarming language that may be incorrect. For example, that person might simply be on another VPN provider's service or using Tor.
 
 **Best Case:**
 

includes/abbreviations.en.md

@@ -16,6 +16,7 @@
 *[EEA]: European Economic Area
 *[EOL]: End-of-Life
 *[Exif]: Exchangeable image file format
+*[FCM]: Firebase Cloud Messaging
 *[FDE]: Full Disk Encryption
 *[FIDO]: Fast IDentity Online
 *[GDPR]: General Data Protection Regulation
@@ -40,9 +41,11 @@
 *[JNI]: Java Native Interface
 *[LUKS]: Linux Unified Key Setup (Full-Disk Encryption)
 *[MAC]: Media Access Control
+*[MDAG]: Microsoft Defender Application Guard
 *[MEID]: Mobile Equipment Identifier
 *[MFA]: Multi-Factor Authentication
 *[NVMe]: Nonvolatile Memory Express
+*[NTP]: Network Time Protocol
 *[OCI]: Open Container Initiative
 *[OCSP]: Online Certificate Status Protocol
 *[OEM]: Original Equipment Manufacturer
@@ -52,6 +55,7 @@
 *[OTPs]: One-Time Passwords
 *[OpenPGP]: Open-source implementation of Pretty Good Privacy (PGP)
 *[P2P]: Peer-to-Peer
+*[PAM]: Linux Pluggable Authentication Modules
 *[PGP]: Pretty Good Privacy (see OpenPGP)
 *[PII]: Personally Identifiable Information
 *[QNAME]: Qualified Name
@@ -63,6 +67,7 @@
 *[SNI]: Server Name Indication
 *[SSD]: Solid-State Drive
 *[SSH]: Secure Shell
+*[SUID]: Set Owner User ID
 *[SaaS]: Software as a Service (cloud software)
 *[SoC]: System on Chip
 *[TCP]: Transmission Control Protocol
@@ -71,6 +76,7 @@
 *[TOTP]: Time-based One-Time Password
 *[TPM]: Trusted Platform Module
 *[U2F]: Universal 2nd Factor
+*[UEFI]: Unified Extensible Firmware Interface
 *[UDP]: User Datagram Protocol
 *[VPN]: Virtual Private Network
 *[VoIP]: Voice over IP (Internet Protocol)
@@ -79,5 +85,6 @@
 *[attack surface]: The attack surface of software or hardware is the sum of the different places an attacker can try to enter data to or extract data from.
 *[cgroups]: Control Groups
 *[fork]: In software development, a fork is created when developers take a copy of source code from one software package and start independent development on it, creating a distinct and separate piece of software.
+*[hypervisor]: A hypervisor is computer software, firmware, or hardware that allows partitioning the resource of a CPU among multiple operating systems or independent programs.
 *[rolling release]: An update release cycle in which updates are released very frequently, instead of at set intervals.
 *[walled garden]: A walled garden (or closed platform) is one in which the service provider has control over applications, content, and/or media, and restricts convenient access to non-approved applicants or content.

mkdocs.yml

@@ -168,10 +168,12 @@ nav:
     - 'Advanced':
       - 'advanced/integrating-metadata-removal.md'
       - 'advanced/erasing-data.md'
+      - 'advanced/signal-configuration-hardening.md'
   - 'Recommendations':
     - 'tools.md'
     - 'Browsers':
-      - 'browsers.md'
+      - 'desktop-browsers.md'
+      - 'mobile-browsers.md'
     - 'Operating Systems':
       - 'android.md'
       - 'linux-desktop.md'
@@ -208,6 +210,7 @@ nav:
   - 'Discussions': 'https://github.com/orgs/privacyguides/discussions'
   - 'Blog':
     - '2022':
+      - '"Hide Nothing"': 'blog/2022/06/09/hide-nothing.md'
       - '"Move Fast and Break Things"': 'blog/2022/04/04/move-fast-and-break-things.md'
     - '2021':
       - 'Firefox Privacy: 2021 Update': 'blog/2021/12/01/firefox-privacy-2021-update.md'