Remove magic wormhole (#1588)

Signed-off-by: Daniel Gray <dng@disroot.org>

.github/workflows/crowdin.yml

@@ -14,7 +14,7 @@ jobs:
       uses: actions/checkout@v3
 
     - name: crowdin action
-      uses: crowdin/github-action@1.4.9
+      uses: crowdin/github-action@1.4.10
       with:
         upload_sources: true
         upload_sources_args: '--auto-update --delete-obsolete'

.github/workflows/deploy.yml

@@ -29,7 +29,7 @@ jobs:
           python-version: '3.7'
       
       - name: Cache files
-        uses: actions/cache@v3.0.4
+        uses: actions/cache@v3.0.5
         with:
           key: ${{ github.ref }}
           path: .cache

docs/advanced/integrating-metadata-removal.en.md

@@ -78,7 +78,7 @@ Shortcuts is quite intuitive to work with, so if you don't like the behavior dem
 
 [Shortcuts](https://support.apple.com/guide/shortcuts/welcome/ios) can be made accessible through the system Share Sheet, making accessing those shortcuts very convenient. This guide will show you how to build a metadata removal shortcut and integrate it into the system *Share Sheet*.
 
-!!! attention
+!!! warning
     This method of metadata removal is not as comprehensive at removing metadata as utilities like [ExifTool](../metadata-removal-tools.md#exiftool) and [mat2](../metadata-removal-tools.md#mat2) are.
 
 The lack of *good* metadata removal apps on the App Store is what makes this solution worthwhile.

docs/advanced/signal-configuration-hardening.en.md

@@ -0,0 +1,260 @@
+---
+title: "Signal Configuration and Hardening"
+icon: 'material/chat-processing'
+---
+
+[Signal](../real-time-communication.md#signal) is a widely regarded instant messaging service that is not only easy to use but is also private and secure. Signal's strong E2EE implementation and metadata protections provide a level of assurance that only you and your intended recipients are able to read communications.
+
+This guide details actions you can take to configure and harden Signal in accordance with your [threat model](../basics/threat-modeling.md).
+
+## Signal Configuration
+
+### Signal PIN
+
+When you register for Signal with your phone number, you will be asked to set up a Signal PIN. This PIN can be used to recover your profile, settings, contacts and who you've blocked in case you ever lose or switch devices.
+
+Additionally, your Signal PIN can also double as a registration lock that prevents others from registering with your number.
+
+!!! attention "Registration Lock"
+
+    The server will not enforce the registration lock after 7 days of inactivity. After that, someone will be able to reset the PIN at registration and register with your phone number. This will wipe the data stored in your Signal account, as it is encrypted by the PIN, but it won't prevent someone from registering with your number provided that they can receive a text on it.
+
+If you haven't set up a Signal PIN, or have previously opted out of setting one up, follow these steps on Android/iOS:
+
+- Select :material-dots-vertical: **Settings** > **Account** > **Signal PIN**
+- Select **Create new PIN**
+
+Signal will prompt you to enter a PIN. We suggest using a strong alphanumeric PIN that can be stored in a [password manager](../passwords.md).
+
+Once you have done that, or if you already have set up a PIN, make sure that **Registration Lock** is also enabled.
+
+- Select :material-dots-vertical: **Settings** > **Account** > **Signal PIN**
+- [x] Turn on **Registration Lock**
+
+!!! Important
+
+    If you forget the PIN and have enabled a registration lock, you may be locked out of your account for up to 7 days.
+
+You can learn more about Signal PIN on [Signal's website](https://support.signal.org/hc/en-us/articles/360007059792-Signal-PIN).
+
+### Safety Numbers
+
+Safety numbers are a feature in Signal that allows you to ensure that messages are delivered securely between verified devices.
+
+It is best practice to always compare safety numbers with your contacts. This can be done in a couple of ways:
+
+- Scanning your contact's QR code while viewing their safety number.
+- Comparing the safety numbers on both ends, be it visually or audibly.
+
+!!! Important
+
+    In order for safety numbers to also verify that the intended recipient has access to the device you're verifying, you need a secondary communication channel where you can authenticate the person that is holding the device. For example, an in-person meeting or during a video call.
+
+To view the safety number for a particular contact, you need to follow these steps within Signal:
+
+- Go to a chat with a contact.
+- Select the chat header or :material-dots-vertical: > **View Safety Number**
+
+Once you've compared the safety numbers on both devices, you can mark that contact as **Verified**.
+
+A checkmark will appear in the chat header by your contact's name when the safety number is marked as verified. It will remain verified unless the safety number changes or you manually change the verification status.
+
+After doing that, any time the safety number changes, you'll be notified.
+
+If the safety number with one of your contacts changes, we recommend asking the contact what happened (if they switched to a new device or re-installed Signal, for example) and verify the safety numbers again.
+
+For more demanding threat models, you should agree on a protocol with your contacts in advance on what to do in case the safety number ever changes.
+
+You can learn more about safety numbers on [Signal's website](https://support.signal.org/hc/en-us/articles/360007060632-What-is-a-safety-number-and-why-do-I-see-that-it-changed-).
+
+### Disappearing Messages
+
+While communication in Signal is E2EE, the messages are still available on the devices, unless they are manually deleted.
+
+It is good practice to set up disappearing messages in Signal's settings so that any chats you start will disappear after a specified amount of time has passed.
+
+On Android/iOS:
+
+- Select :material-dots-vertical: **Settings** > **Privacy**
+- Under **Disappearing messages**, select **Default timer for new chats**
+- Select the desired amount of time and select **Save**
+
+!!! tip "Override the global default for specific contacts"
+
+    - Go to a chat with a contact
+    - Select :material-dots-vertical: on the top right
+    - Select **Disappearing messages**
+    - Select the desired amount of time and select **Save**
+
+We recommend setting up a reasonable timer by default, such as one week, and adjusting it per contact as you see fit.
+
+!!! tip "Snapchat-like Functionality"
+
+    Signal allows you to send "view-once" media that are automatically removed from the conversation after they have been viewed.
+
+### Disable Link Previews
+
+Signal offers the ability to retrieve previews of webpages linked within a conversation.
+
+This means that when you send a link, a request will be sent to that website so that a preview of the website can be displayed alongside the link. Thus, we recommend disabling link previews.
+
+Your recipient doesn't make any requests unless they open the link on their end.
+
+On Android/iOS:
+
+- Select :material-dots-vertical: **Settings** > **Chats**
+- [ ] Turn off **Generate link previews**
+
+### Screen Security
+
+Signal allows you to prevent a preview of the app being shown (i.e., in the app switcher) unless you explicitly open it.
+
+On Android:
+
+- Select :material-dots-vertical: **Settings** > **Privacy**
+- [x] Turn on **Screen Security**
+
+On iOS:
+
+- Select :material-dots-vertical: **Settings** > **Privacy**
+- [x] Turn on **Hide Screen in App Switcher**
+
+### Screen Lock
+
+If someone gets a hold of your device while it is unlocked, you run the risk of them being able to open the Signal app and look at your conversations.
+
+To mitigate this, you can leverage the Screen Lock option to require additional authentication before Signal can be accessed.
+
+On Android/iOS:
+
+- Select :material-dots-vertical: **Settings** > **Privacy**
+- [x] Turn on **Screen Lock**
+
+### Notification Privacy
+
+Even when your phone is locked, anyone who can lay eyes on the device can read messages and sender names from your lock screen.
+
+On Signal, you have the ability to hide message content and sender name, or just the message content itself.
+
+On Android:
+
+- Select :material-dots-vertical: **Settings** > **Notifications**
+- Select **Show**
+- Select **No name or message** or **Name only** respectively.
+
+On iOS:
+
+- Select :material-dots-vertical: **Settings** > **Notifications**
+- Select **Show**
+- Select **No name or Content** or **Name Only** respectively.
+
+### Call Relaying
+
+Signal allows you to relay all calls (including video calls) through the Signal server to avoid revealing your IP address to your contact. This may reduce call quality.
+
+On Android/iOS:
+
+- Select :material-dots-vertical: **Settings** > **Privacy** > **Advanced**
+- [x] Turn on **Always Relay Calls**
+
+For incoming calls from people who are not in your Contacts app, the call will be relayed through the Signal server regardless of how you've set it up.
+
+### Proxy Support
+
+If Signal is blocked in your country, Signal allows you to set up a proxy to bypass it.
+
+!!! Warning
+
+    All traffic remains opaque to the proxy operator. However, the censoring party could learn that you are using Signal through a proxy because the app [fails to route all the IP connections to the proxy](https://community.signalusers.org/t/traffic-not-routed-to-tls-proxies-can-expose-users-to-censors/27479).
+
+You can learn more about Signal's proxy support on their [website](https://support.signal.org/hc/en-us/articles/360056052052-Proxy-Support).
+
+### Keep Your Signal Call History off iCloud (iOS only)
+
+Signal allows you to see your call history from your regular phone app. This allows your iOS device to sync your call history with iCloud, including who you spoke to, when, and for how long.
+
+If you use iCloud and you don’t want to share call history on Signal, confirm it’s turned off:
+
+- Select :material-dots-vertical: **Settings** > **Privacy**
+- [ ] Turn off **Show Calls in Recents**
+
+## Signal Hardening
+
+### Avoid Linking Your Signal Account to a Desktop Device
+
+While it may be tempting to link your Signal account to your desktop device for convenience, keep in mind that this extends your trust to an additional and potentially less secure operating system.
+
+If your threat model calls for it, avoid linking your Signal account to a desktop device to reduce your attack surface.
+
+### Endpoint Security
+
+Signal takes security very seriously, however there is only so much an app can do to protect you.
+
+It is very important to take device security on both ends into account to ensure that your conversations are kept private.
+
+We recommend an up-to-date [GrapheneOS](/android/#grapheneos) or iOS device.
+
+### Hardening Signal with Molly on Android
+
+!!! recommendation
+
+    ![Molly logo](../assets/img/messengers/molly.svg){ align=right }
+
+    **Molly** is a security-focused [Signal](../real-time-communication/#signal) fork that aims to provide extensive hardening and anti-forensic features to people who use Signal.
+
+    [:octicons-home-16: Homepage](https://molly.im/){ .md-button .md-button--primary }
+    [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" }
+    [:octicons-info-16:](https://github.com/mollyim/mollyim-android/wiki){ .card-link title=Documentation}
+    [:octicons-code-16:](https://github.com/mollyim/mollyim-android){ .card-link title="Source Code" }
+    [:octicons-heart-16:](https://opencollective.com/mollyim){ .card-link title=Contribute }
+
+    ??? downloads
+
+         - [:pg-f-droid: F-Droid](https://molly.im/download/fdroid/)
+         - [:fontawesome-brands-github: GitHub](https://github.com/mollyim/mollyim-android/releases)
+
+Molly offers two variants of the app: **Molly** and **Molly-FOSS**.
+
+The former is identical to Signal with the addition of Molly's improvements and security features. The latter, Molly-FOSS, removes Google's proprietary code, which is used for some key features (e.g., [FCM](https://en.wikipedia.org/wiki/Firebase_Cloud_Messaging) and Google Maps integration), in an effort to make it fully open-source.
+
+A comparison of the two versions is available in the [project's repository](https://github.com/mollyim/mollyim-android#readme).
+
+Both versions of Molly support [reproducible builds](https://github.com/mollyim/mollyim-android/tree/main/reproducible-builds), meaning it's possible to confirm that the compiled APKs match the source code.
+
+#### Features
+
+Molly has implemented database encryption at rest, which means that you can encrypt the app's database with a passphrase to ensure that none of its data is accessible without it.
+
+!!! note
+
+    As long as Molly is locked, you will not receive notifications for any incoming messages or calls until you unlock it again.
+
+Once enabled, a configurable lock timer can be set, after which point Molly will lock itself if you haven't unlocked your device for that specific time period. Alternatively, you can manually lock the app whenever you want.
+
+For the database encryption feature to be useful, two conditions must be met:
+
+1. Molly has to be locked at the time an attacker gains access to the device. This can include a physical attack in which the attacker seizes your device and manages to unlock the device itself, or a remote attack, in which the device is compromised and manages to elevate privileges to root.
+1. If you become aware that your device has been compromised, you should not unlock Molly's database.
+
+If both of the above conditions are met, the data within Molly is safe as long as the passphrase is not accessible to the attacker.
+
+To supplement the database encryption feature, Molly securely wipes your device's RAM once the database is locked to defend against forensic analysis.
+
+While Molly is running, your data is kept in RAM. When any app closes, its data remains in RAM until another app takes the same physical memory pages. That can take seconds or days, depending on many factors. To prevent anyone from dumping the RAM to disk and extracting your data after Molly is locked, the app overrides all free RAM memory with random data when you lock the database.
+
+There is also the ability to configure a SOCKS proxy in Molly to route its traffic through the proxy or Tor (via [Orbot](/android/#orbot)). When enabled, all traffic is routed through the proxy and there are no known IP or DNS leaks. When using this feature, [call relaying](#call-relaying) will always be enabled, regardless of the setting.
+
+Signal adds everyone who you have communicated with to its database. Molly allows you to delete those contacts and stop sharing your profile with them.
+
+To supplement the feature above, as well as for additional security and to fight spam, Molly offers the ability to block unknown contacts that you've never been in contact with or those that are not in your contact list without you having to manually block them.
+
+You can find a full list of Molly's [features](https://github.com/mollyim/mollyim-android#features) on the project's repository.
+
+#### Caveats
+
+- Molly does not support SMS messages within the app, unlike the official Signal app.
+- Molly removes Signal's Mobilecoin integration.
+- Molly is updated every two weeks to include the latest features and bug fixes from Signal. The exception is security issues, that are patched as soon as possible. That said, you should be aware that there might be a slight delay compared to upstream.
+- By using Molly, you are extending your trust to another party, as you now need to trust the Signal team, as well as the Molly team.
+
+--8<-- "includes/abbreviations.en.md"

docs/android.en.md

@@ -6,7 +6,7 @@ icon: 'fontawesome/brands/android'
 These are the Android operating systems, devices, and apps we recommend to maximize your mobile device's security and privacy. We also have additional Android-related information:
 
 - [General Android Overview and Recommendations :hero-arrow-circle-right-fill:](android/overview.md)
-- [GrapheneOS vs CalyxOS Comparison :hero-arrow-circle-right-fill:](android/grapheneos-vs-calyxos.md)
+- [Why we recommend GrapheneOS over CalyxOS :hero-arrow-circle-right-fill:](android/grapheneos-vs-calyxos.md)
 
 ## AOSP Derivatives
 
@@ -65,26 +65,6 @@ DivestOS implements some system hardening patches originally developed for Graph
 
     Not all of the supported devices have verified boot, and some perform it better than others.
 
-### CalyxOS
-
-!!! recommendation
-
-    ![CalyxOS logo](assets/img/android/calyxos.svg){ align=right }
-
-    **CalyxOS** is a system with some privacy features on top of AOSP, including [Datura](https://calyxos.org/docs/tech/datura-details) firewall, [Signal](https://signal.org) integration in the dialer app, and a built in panic button. CalyxOS also comes with firmware updates and signed builds, so verified boot is fully supported.
-
-    We only recommend CalyxOS as a harm reduction measure for the OnePlus 8T, OnePlus 9, and especially the Fairphone 4 if you need microG.
-
-    [:octicons-home-16: Homepage](https://calyxos.org/){ .md-button .md-button--primary }
-    [:octicons-eye-16:](https://calyxinstitute.org/legal/privacy-policy){ .card-link title="Privacy Policy" }
-    [:octicons-info-16:](https://calyxos.org/docs/){ .card-link title=Documentation}
-    [:octicons-code-16:](https://github.com/CalyxOS){ .card-link title="Source Code" }
-    [:octicons-heart-16:](https://members.calyxinstitute.org/donate){ .card-link title=Contribute }
-
-CalyxOS optionally includes [microG](https://microg.org/), a partially open-source reimplementation of Play Services which provides broader app compatibility. It also bundles in alternate location services: [Mozilla](https://location.services.mozilla.com/) and [DejaVu](https://github.com/n76/DejaVu).
-
-CalyxOS [supports](https://calyxos.org/docs/guide/device-support/) Google Pixel phones, the OnePlus 8T/9/9 Pro and the Fairphone 4.
-
 ## Android Devices
 
 When purchasing a device, we recommend getting one as new as possible. The software and firmware of mobile devices are only supported for a limited time, so buying new extends that lifespan as much as possible.
@@ -126,30 +106,6 @@ A few more tips for purchasing a Google Pixel:
 - Look at online community bargain sites in your country. These can alert you to good sales.
 - Google provides a list showing the [support cycle](https://support.google.com/nexus/answer/4457705) for each one of their devices. The price per day for a device can be calculated as: $\text{Cost} \over \text {EOL Date }-\text{ Current Date}$, meaning that the longer use of the device the lower cost per day.
 
-### Other Devices
-
-The following OEMs are only mentioned as they have phones compatible with the operating systems recommended by us. If you are purchasing a new device, we only recommend purchasing a Google Pixel.
-
-#### OnePlus
-
-If you are unable to obtain a Google Pixel, recent OnePlus devices are the next best option if you want to run a custom OS without privileged Play Services. OnePlus 8 and later devices will receive 4 years of security updates from their initial launch date. CalyxOS has [experimental support](https://calyxos.org/news/2022/04/01/fairphone4-oneplus8t-oneplus9-test-builds/) for the **OnePlus 8T** and **9**.
-
-DivestOS has support for most OnePlus devices up to the **OnePlus 9 Pro**, with varying levels of support.
-
-#### Fairphone
-
-!!! danger
-
-    The Fairphone 3 and 4 are not secure by default, as the [stock bootloader trusts the public AVB signing key](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11). This breaks verified boot on a stock Fairphone device, as the system will boot alternative Android operating systems such (such as /e/) [without any warning](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) about custom operating system usage.
-
-    This problem is somewhat mitigated when you install a custom operating system such as CalyxOS or DivestOS and trust the developer's signing keys rather than the stock system keys, however a vulnerability in CalyxOS or DivestOS's recovery environments could still potentially allow an attacker to bypass AVB.
-
-    **To reiterate, you must install a custom operating system with custom boot keys to use Fairphone devices in a secure manner.**
-
-CalyxOS has [experimental support](https://calyxos.org/news/2022/04/01/fairphone4-oneplus8t-oneplus9-test-builds/) for the **Fairphone 4**. DivestOS has builds available for the **Fairphone 3**.
-
-Fairphone markets their devices as receiving 6 years of support. However, the SoC (Qualcomm Snapdragon 750G on the Fairphone 4) has a considerably shorter EOL date. This means that firmware security updates from Qualcomm for the Fairphone 4 will end in September 2023, regardless of whether Fairphone continues to release software security updates.
-
 ## General Apps
 
 ### Orbot

docs/android/grapheneos-vs-calyxos.en.md

@@ -1,12 +1,15 @@
 ---
-title: "GrapheneOS vs CalyxOS"
+title: "Why we recommend GrapheneOS over CalyxOS"
 icon: 'material/cellphone-cog'
 ---
+
+GrapheneOS and CalyxOS are commonly compared as similar options for people looking for an alternative Android OS for their Pixel devices. Below are some of the reasons why we recommend GrapheneOS over CalyxOS.
+
 ## Profiles
 
 CalyxOS includes a device controller app so there is no need to install a third-party app like Shelter.
 
-GrapheneOS extends the user profile feature, allowing you to end a current session. To do this, select *End Session* which will clear the encryption key from memory. There are plans to add a [cross profile notifications system](https://github.com/GrapheneOS/os-issue-tracker/issues/88) in the future. GrapheneOS plans to introduce nested profile support with better isolation in the future.
+GrapheneOS extends the user profile feature, allowing you to end a current session. To do this, select *End Session* which will clear the encryption key from memory. GrapheneOS also provides [cross-profile notification forwarding](https://grapheneos.org/features#notification-forwarding). GrapheneOS plans to introduce nested profile support with better isolation in the future.
 
 ## Sandboxed Google Play vs Privileged microG
 
@@ -22,9 +25,11 @@ Local RF location backends like DejaVu require that the phone has a working GPS
 
 If your threat model requires protecting your location or the MAC addresses of nearby devices, rerouting location requests to the OS location API is probably the best option. The benefit brought by microG's custom location backend is minimal at best when compared to Sandboxed Play Services.
 
-In terms of application compatibility, Sandboxed Google Play on GrapheneOS outperforms microG on CalyxOS due to its support for many services which microG has not yet implemented, like [Google Play Games](https://play.google.com/googleplaygames) and [In-app Billing API](https://android-doc.github.io/google/play/billing/api.html). Larger apps, especially games, require Play Delivery to be installed, which is currently not implemented in microG. Authentication using [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) with online services on Android also relies on Play Services, and does not currently work with microG.
+In terms of application compatibility, Sandboxed Google Play on GrapheneOS is always going to be more compatible as it is the same code as what is released by Google. microG is a reimplementation of these services. As a result of that it only supports the various parts that have been reimplemented, meaning some things such as [Google Play Games](https://play.google.com/googleplaygames) and [In-app Billing API](https://android-doc.github.io/google/play/billing/api.html) are not yet supported.
 
-[^1]: It should be noted that microG still uses proprietary Google binaries for some of its components such as DroidGuard. Push notifications, if enabled, still go through Google's servers just like with Play Services. Outside of default microG setups like on CalyxOS, it is possible to run microG in the unprivileged `untrusted app` SELinux domain and without the signature spoofing patch. However, microG's functionality and compatibility, which is already not nearly as broad as Sandboxed Play Services, will greatly diminish.
+Larger apps, especially games, require Play Delivery to be installed, which is currently not implemented in microG. Authentication using [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) with online services on Android also relies on Play Services, and does not currently work with microG.
+
+[^1]: It should be noted that microG still uses proprietary Google binaries for some of its components such as DroidGuard. Push notifications, if enabled, still go through Google's servers just like with Play Services. Outside of default microG setups like on CalyxOS, it is possible to run microG in the unprivileged [`untrusted app`](https://source.android.com/security/selinux/concepts) SELinux domain and without the signature spoofing patch. However, microG's functionality and compatibility, which is already not nearly as broad as Sandboxed Play Services, will greatly diminish.
 
 ## Privileged eSIM Activation Application
 
@@ -32,7 +37,7 @@ Currently, eSIM activation is tied to a privileged proprietary application by Go
 
 On GrapheneOS, the app comes disabled and can be *optionally* enabled by the user after they have installed Sandboxed Play Services.
 
-On CalyxOS, the app comes installed by default (regardless of whether you choose to have microG or not) and cannot be opted out. This is particularly problematic, as it means Google still has access to the user's hardware identifiers regardless of whether they even need the eSIM activation or not, and can access them persistently.
+On CalyxOS, the app comes installed by default (regardless of whether you choose to have microG or not) and cannot be opted out. This means Google still has access to your hardware identifiers regardless of whether or not you need eSIM activation and can be accessed persistently.
 
 ## Privileged App Extensions
 

docs/android/overview.en.md

@@ -34,6 +34,8 @@ Verified Boot ensures the integrity of the operating system files, thereby preve
 
 Unfortunately, OEMs are only obliged to support Verified Boot on their stock Android distribution. Only a few OEMs such as Google support custom AVB key enrollment on their devices. Additionally, some AOSP derivatives such as LineageOS or /e/ OS do not support Verified Boot even on hardware with Verified Boot support for third-party operating systems. We recommend that you check for support **before** purchasing a new device. AOSP derivatives which do not support Verified Boot are **not** recommended.
 
+Many OEMs also have broken implementation of Verified Boot that you have to be aware of beyond their marketing. For example, the Fairphone 3 and 4 are not secure by default, as the [stock bootloader trusts the public AVB signing key](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11). This breaks verified boot on a stock Fairphone device, as the system will boot alternative Android operating systems such (such as /e/) [without any warning](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) about custom operating system usage.
+
 ## Firmware Updates
 
 Firmware updates are critical for maintaining security and without them your device cannot be secure. OEMs have support agreements with their partners to provide the closed-source components for a limited support period. These are detailed in the monthly [Android Security Bulletins](https://source.android.com/security/bulletin).
@@ -42,16 +44,21 @@ As the components of the phone, such as the processor and radio technologies rel
 
 EOL devices which are no longer supported by the SoC manufacturer cannot receive firmware updates from OEM vendors or after market Android distributors. This means that security issues with those devices will remain unfixed.
 
+Fairphone, for example, markets their devices as receiving 6 years of support. However, the SoC (Qualcomm Snapdragon 750G on the Fairphone 4) has a considerably shorter EOL date. This means that firmware security updates from Qualcomm for the Fairphone 4 will end in September 2023, regardless of whether Fairphone continues to release software security updates.
+
 ## Android Versions
 
 It's important to not use an [end-of-life](https://endoflife.date/android) version of Android. Newer versions of Android not only receive security updates for the operating system but also important privacy enhancing updates too. For example, [prior to Android 10](https://developer.android.com/about/versions/10/privacy/changes), any apps with the [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) permission could access sensitive and unique serial numbers of your phone such as [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), your SIM card's [IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity), whereas now they must be system apps to do so. System apps are only provided by the OEM or Android distribution.
 
 ## Android Permissions
 
-[Permissions on Android](https://developer.android.com/guide/topics/permissions/overview) grant you control over what apps are allowed to access. Google regularly makes [improvements](https://developer.android.com/about/versions/11/privacy/permissions) on the permission system in each successive version. All apps you install are strictly [sandboxed](https://source.android.com/security/app-sandbox), therefore, there is no need to install any antivirus apps. The savings you make from not purchasing or subscribing to security apps is better spent on paying for a supported device in the future.
+[Permissions on Android](https://developer.android.com/guide/topics/permissions/overview) grant you control over what apps are allowed to access. Google regularly makes [improvements](https://developer.android.com/about/versions/11/privacy/permissions) on the permission system in each successive version. All apps you install are strictly [sandboxed](https://source.android.com/security/app-sandbox), therefore, there is no need to install any antivirus apps. A smartphone with the latest version of Android will always be more secure than an old smartphone with an antivirus that you have paid for. It's better not to pay for antivirus software and to save money to buy a new smartphone such as a Google Pixel.
 
 Should you want to run an app that you're unsure about, consider using a user or work profile.
 
+## Media Access
+Quite a few applications allows you to "share" a file with them for media upload. If you want to, for example, tweet a picture to Twitter, do not grant Twitter access to your "media and photos", because it will have access to all of your pictures then. Instead, go to your file manager (documentsUI), hold onto the picture, then share it with Twitter.
+
 ## User Profiles
 
 Multiple user profiles can be found in **Settings** → **System** → **Multiple users** and are the simplest way to isolate in Android.
@@ -70,7 +77,7 @@ This method is generally less secure than a secondary user profile; however, it
 
 ## VPN Killswitch
 
-Android 7 and above supports a VPN killswitch and it is available without the need to install third-party apps. This feature can prevent leaks if the VPN is disconnected. It can be found in (:gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**).
+Android 7 and above supports a VPN killswitch and it is available without the need to install third-party apps. This feature can prevent leaks if the VPN is disconnected. It can be found in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**.
 
 ## Global Toggles
 

docs/assets/img/android/calyxos.svg

@@ -1,2 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<svg width="128" height="128" version="1.1" viewBox="0 0 33.867 33.867" xmlns="http://www.w3.org/2000/svg"><g transform="matrix(.43429 0 0 .43429 -102.24 -35.595)" stroke-width=".26458"><path d="m313.4 119.93c-7.7343 13.52-22.298 22.631-38.991 22.631-16.692 0-31.256-9.1114-38.991-22.631 7.7346-13.521 22.299-22.632 38.991-22.632 16.693 0 31.257 9.1115 38.991 22.632" fill="#9acc01"/><path d="m298.61 144.6-6.8334-12.569c2.364-3.4422 3.7478-7.6102 3.7478-12.101 0-11.819-9.5811-21.4-21.4-21.4-11.819 0-21.4 9.5806-21.4 21.4 0 11.819 9.5811 21.4 21.4 21.4 4.4736 0 8.6265-1.3727 12.061-3.7206l12.422 6.9937z" fill="#231f20"/><path d="m284.91 125.24c0 5.7915-4.7106 10.502-10.502 10.502-5.7915 0-10.502-4.7106-10.502-10.502v-12.917c0-0.80301 0.65352-1.456 1.4565-1.456 0.80275 0 1.456 0.65299 1.456 1.456v7.8192c0 0.4236 0.34263 0.76623 0.76702 0.76623 8e-3 0 0.0167-2e-3 0.0257-2e-3s0.0164 2e-3 0.0251 2e-3c0.4236 0 0.7665-0.34263 0.7665-0.76623v-11.856c0-0.80354 0.65299-1.4571 1.4565-1.4571s1.4565 0.65352 1.4565 1.4571v11.166c0 0.42387 0.34343 0.76624 0.76677 0.76624 0.42254 0 0.76623-0.34264 0.76623-0.76624v-13.875c0-0.80301 0.65378-1.4555 1.4563-1.4555 0.80354 0 1.4568 0.65246 1.4568 1.4555v13.773c0 0.42413 0.34317 0.76703 0.7665 0.76703 0.42307 0 0.7665-0.34317 0.7665-0.76703v-11.37c0-0.80327 0.65352-1.4565 1.4565-1.4565 0.80327 0 1.456 0.65352 1.456 1.4565v14.555c-1.7436 0.16219-5.8518 1.0464-7.543 5.7222-0.14366 0.39793 0.0622 0.83767 0.46038 0.9824 0.0857 0.031 0.1741 0.0455 0.26009 0.0455 0.31379 0 0.60748-0.19474 0.72125-0.50536 1.7732-4.903 6.6273-4.7546 6.8313-4.7464l0.80354 0.0386v-8.0939c0-0.80301 0.7112-1.4565 1.5843-1.4565 0.87392 0 1.5841 0.65352 1.5841 1.4565v9.2625zm-1.5841-12.253c-0.57864 0-1.1192 0.15557-1.5843 0.41963v-5.4277c0-1.6486-1.3409-2.9901-2.9895-2.9901-0.53314 0-1.0327 0.14261-1.4666 0.38761-0.10398-1.555-1.3991-2.789-2.98-2.789-1.6484 0-2.9893 1.3409-2.9893 2.989v0.10001c-0.4318-0.2413-0.92763-0.381-1.4565-0.381-1.6481 0-2.9893 1.3409-2.9893 2.9901v1.4594c-0.44344-0.26035-0.95752-0.41222-1.5079-0.41222-1.6486 0-2.99 1.3404-2.99 2.9893v12.917c0 6.636 5.3991 12.035 12.036 12.035 6.636 0 12.035-5.3991 12.035-12.035v-9.2631c0-1.6484-1.3981-2.9893-3.1171-2.9893" fill="#9acc01"/></g></svg>

docs/assets/img/browsers/bromite.svg

@@ -1,2 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<svg width="128" height="128" version="1.1" viewBox="0 0 33.866 33.866" xmlns="http://www.w3.org/2000/svg"><g transform="matrix(1.9999 0 0 1.9999 -.00028793 -560.11)"><g transform="matrix(.1411 0 0 .1411 -22.448 274.09)"><g transform="matrix(6.5975,0,0,6.5975,-881.57,-908.75)"><path d="m166.76 148.57v2.8e-4c-0.0731 1e-3 -0.14646 3e-3 -0.21965 6e-3 -2.0814 0.0983-3.9695 1.2488-5.0113 3.0532-0.27591 0.47789-0.47972 0.97776-0.61543 1.4866 1.8658 0.19779 3.5534 0.93382 4.9049 2.0531 2.7603 1.8081 5.5017 1.1662 7.0499 0.51897 0.40336-2.4423-0.70912-4.988-2.9792-6.2988-0.95179-0.54962-2.0328-0.83212-3.1292-0.81971z" fill="#d0f6ed" stroke-width=".14568"/><path d="m166.59 152.15c-1.5641 9.9e-4 -2.9951 0.51259-3.7051 1.324 0.94324 0.3021 1.8146 0.75292 2.5877 1.3259-1.2e-4 -3.9e-4 -1.6e-4 -1e-3 -2.9e-4 -1e-3 1.3493-0.74086 3.1114-1.2154 4.6422-1.5091-0.75982-0.70753-2.0913-1.1376-3.5245-1.1388v-5.6e-4z" fill="#4de564" stroke-width=".27973"/><path d="m172.56 152.93c-1.6055 0.16301-4.8923 0.66396-7.0864 1.8687 0.12815 0.095 0.25361 0.19321 0.37621 0.29474 2.6929 1.7639 5.3671 1.1376 6.8778 0.50616 0.14847-0.89893 0.0864-1.8121-0.16739-2.6696z" fill="#06c23c" stroke-width=".38858"/><path d="m170.2 144.17c-0.297-8e-3 -0.58809 0.14301-0.74764 0.41937l-0.15266 0.26436c-0.23207 0.40197-0.0953 0.91236 0.30665 1.1444l0.0712 0.0411-0.6784 1.175c-0.68491-0.19996-1.3964-0.30489-2.1144-0.30964l-3e-4 -2.9e-4c-0.13829-9.1e-4 -0.27683 2e-3 -0.41545 8e-3 -2.6278 0.12414-5.0122 1.5767-6.3272 3.8551-2.1338 3.6958-0.86761 8.4218 2.8282 10.556 3.696 2.1338 8.4218 0.86727 10.556-2.8288 1.8213-3.155 1.1646-7.0602-1.3656-9.463l0.67518-1.1694 0.0706 0.0407c0.40198 0.23207 0.91244 0.0953 1.1445-0.30665l0.15259-0.26436c0.23207-0.40197 0.0953-0.91243-0.30665-1.1445l-3.2996-1.905c-0.12562-0.0725-0.26181-0.10907-0.3968-0.11272zm-3.434 4.6336c1.0696-0.0121 2.1243 0.26346 3.0528 0.79964 2.2146 1.2787 3.1576 3.6198 2.7641 6.0024-1.5104 0.63142-4.0427 1.1156-6.7355-0.6483-1.3185-1.0919-2.8225-1.6679-4.6427-1.8609 0.13239-0.49643 0.33106-0.98387 0.60022-1.4501 1.0163-1.7604 2.7165-2.7406 4.7469-2.8365 0.0714-3e-3 0.14275-5e-3 0.21406-6e-3z" fill="#25935e" stroke-width=".28021"/></g></g></g></svg>

docs/assets/img/messengers/molly.svg

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg width="127.99" height="128" version="1.1" viewBox="0 0 33.864 33.867" xmlns="http://www.w3.org/2000/svg"><g transform="translate(-48.383 -89.279)"><g transform="matrix(.083544 0 0 .083551 36.799 77.694)"><path d="m220.51 504.06 120.82 39.937 1.2e-4 4e-5 -143.92-5e-5zm323.49-162.73c0 111.93-90.737 202.67-202.67 202.67-111.93-1e-5 -202.67-90.737-202.67-202.67s90.737-202.67 202.67-202.67c111.93 0 202.67 90.737 202.67 202.67z" fill="#7663f0"/><g transform="translate(-5.1601e-6,-4.0973)"><circle cx="341" cy="433.47" r="23.536" fill="#f9f8fe" stroke-width=".64448"/><circle cx="439.19" cy="375.64" r="23.536" fill="#aaa4ce" stroke-width=".64448"/><circle cx="242.81" cy="375.64" r="23.536" fill="#cba1fe" stroke-width=".64447"/><g stroke-width=".64448"><circle cx="439.19" cy="433.47" r="23.536" fill="#f9f8fe"/><circle cx="439.19" cy="317.82" r="23.536" fill="#aacdf4"/><circle cx="242.81" cy="260" r="23.536" fill="#4b0f9f"/></g><circle cx="242.81" cy="317.82" r="23.536" fill="#aaa4ce" stroke-width=".64447"/><g stroke-width=".64448"><circle cx="242.81" cy="433.47" r="23.536" fill="#f9f8fe"/><circle cx="341" cy="317.82" r="23.536" fill="#4b0f9f"/><circle cx="341" cy="375.64" r="23.536" fill="#aacdf4"/></g><circle cx="439.19" cy="260" r="23.536" fill="#4b0f9f" stroke-width=".64447"/></g></g></g></svg>

docs/assets/rainbow-brand/privacy-guides-logo-notext.svg

@@ -1,15 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE svg  PUBLIC '-//W3C//DTD SVG 1.1//EN'  'http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd'>
-<svg clip-rule="evenodd" fill-rule="evenodd" stroke-linejoin="round" stroke-miterlimit="2" version="1.1" viewBox="0 0 33 34" xml:space="preserve" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
-    <path d="m4.581 4.337c-0.113 0.379-0.049 0.822 0.077 1.707l1.604 11.224c0.277 1.939 0.415 2.909 0.782 3.775 0.325 0.768 0.781 1.474 1.346 2.087 0.638 0.691 1.465 1.217 3.117 2.269l2.349 1.495c1.126 0.716 1.69 1.075 2.295 1.214 0.465 0.108 0.947 0.121 1.416 0.042-0.388-0.887-0.603-1.867-0.603-2.897 0-3.996 3.24-7.236 7.236-7.236 1.166 0 2.268 0.276 3.243 0.766 0.069-0.432 0.14-0.929 0.223-1.514v-1e-3l1.604-11.224c0.126-0.885 0.19-1.328 0.077-1.707-0.099-0.334-0.292-0.632-0.557-0.859-0.3-0.257-0.73-0.38-1.59-0.626l-9.441-2.697c-0.296-0.085-0.444-0.127-0.594-0.144-0.134-0.015-0.268-0.015-0.402 0-0.15 0.017-0.298 0.059-0.594 0.144l-9.441 2.697c-0.86 0.246-1.29 0.369-1.59 0.626-0.265 0.227-0.458 0.525-0.557 0.859z" fill="#ffd06f"/>
-    <clipPath id="_clip1">
-        <path d="m4.581 4.337c-0.113 0.379-0.049 0.822 0.077 1.707l1.604 11.224c0.277 1.939 0.415 2.909 0.782 3.775 0.325 0.768 0.781 1.474 1.346 2.087 0.638 0.691 1.465 1.217 3.117 2.269l2.349 1.495c1.126 0.716 1.69 1.075 2.295 1.214 0.465 0.108 0.947 0.121 1.416 0.042-0.388-0.887-0.603-1.867-0.603-2.897 0-3.996 3.24-7.236 7.236-7.236 1.166 0 2.268 0.276 3.243 0.766 0.069-0.432 0.14-0.929 0.223-1.514v-1e-3l1.604-11.224c0.126-0.885 0.19-1.328 0.077-1.707-0.099-0.334-0.292-0.632-0.557-0.859-0.3-0.257-0.73-0.38-1.59-0.626l-9.441-2.697c-0.296-0.085-0.444-0.127-0.594-0.144-0.134-0.015-0.268-0.015-0.402 0-0.15 0.017-0.298 0.059-0.594 0.144l-9.441 2.697c-0.86 0.246-1.29 0.369-1.59 0.626-0.265 0.227-0.458 0.525-0.557 0.859z"/>
-    </clipPath>
-    <g clip-path="url(#_clip1)">
-        <use transform="scale(.99533 .97244)" x="4.544" width="24.883px" height="28.201px" xlink:href="#_Image2"/>
-    </g>
-    <path d="m13.246 2.719c0.066-7e-3 0.134-7e-3 0.201 0 0.057 7e-3 0.122 0.022 0.446 0.114l9.44 2.698c0.444 0.126 0.727 0.208 0.94 0.287 0.202 0.075 0.274 0.124 0.311 0.156 0.132 0.113 0.229 0.262 0.278 0.429 0.014 0.047 0.03 0.133 0.016 0.348-0.015 0.226-0.056 0.518-0.122 0.974l-1.346 9.426c-4.125 0.397-7.351 3.873-7.351 8.102 0 0.835 0.126 1.641 0.36 2.4l-0.451 0.286c-1.183 0.753-1.594 1.001-2.012 1.097-0.401 0.092-0.818 0.092-1.22 0-0.417-0.096-0.829-0.344-2.012-1.097l-2.349-1.494c-1.693-1.078-2.398-1.535-2.938-2.12-0.495-0.536-0.894-1.153-1.178-1.825-0.31-0.733-0.436-1.564-0.72-3.551l-1.603-11.224c-0.066-0.456-0.107-0.748-0.121-0.974-0.015-0.215 1e-3 -0.301 0.015-0.348 0.05-0.167 0.146-0.316 0.279-0.429 0.036-0.032 0.109-0.081 0.31-0.156 0.213-0.079 0.496-0.161 0.94-0.287l9.44-2.698c0.324-0.092 0.389-0.107 0.447-0.114zm13.306 5.231-1.318 9.228c4.007 0.508 7.106 3.93 7.106 8.075 0 4.496-3.644 8.141-8.14 8.141-3.01 0-5.639-1.634-7.048-4.064l-0.212 0.136-0.135 0.085c-0.996 0.634-1.683 1.072-2.443 1.248-0.668 0.154-1.364 0.154-2.032 0-0.76-0.176-1.447-0.614-2.443-1.248l-0.134-0.085-2.466-1.57c-1.541-0.98-2.461-1.565-3.179-2.344-0.637-0.689-1.149-1.483-1.515-2.347-0.413-0.976-0.567-2.054-0.825-3.863l-1.628-11.392c-0.059-0.416-0.111-0.778-0.131-1.081-0.021-0.323-0.012-0.648 0.087-0.98 0.148-0.501 0.439-0.949 0.835-1.289 0.264-0.226 0.557-0.366 0.86-0.478 0.285-0.106 0.636-0.206 1.04-0.322l0.031-9e-3 9.44-2.697 0.05-0.014c0.247-0.071 0.465-0.133 0.693-0.159 0.2-0.022 0.402-0.022 0.603 0 0.227 0.026 0.445 0.088 0.692 0.159l0.05 0.014 9.471 2.706c0.404 0.116 0.755 0.216 1.04 0.322 0.304 0.112 0.596 0.252 0.86 0.478 0.397 0.34 0.687 0.788 0.835 1.289 0.099 0.332 0.108 0.657 0.087 0.98-0.02 0.303-0.072 0.665-0.131 1.08v1e-3zm-2.352 10.972c-3.497 0-6.332 2.835-6.332 6.331 0 3.497 2.835 6.332 6.332 6.332s6.331-2.835 6.331-6.332c0-3.496-2.834-6.331-6.331-6.331zm4.313 4.197c0.319-0.384 0.268-0.954-0.116-1.274s-0.954-0.268-1.274 0.116l-3.888 4.666-2.013-2.013c-0.354-0.353-0.926-0.353-1.28 0-0.353 0.353-0.353 0.926 0 1.279l2.714 2.713c0.18 0.18 0.427 0.276 0.68 0.264 0.254-0.011 0.492-0.129 0.654-0.324l4.523-5.427zm-19.689-10.529c0-2.497 2.024-4.522 4.522-4.522s4.522 2.025 4.522 4.522c0 1.48-0.71 2.794-1.809 3.619v3.617c0 1.499-1.214 2.714-2.713 2.714s-2.713-1.215-2.713-2.714v-3.617c-1.099-0.825-1.809-2.139-1.809-3.619zm5.426 4.523h-1.808v2.713c0 0.5 0.405 0.905 0.904 0.905 0.5 0 0.904-0.405 0.904-0.905v-2.713zm-0.904-1.809c1.499 0 2.713-1.215 2.713-2.714 0-1.498-1.214-2.713-2.713-2.713s-2.713 1.215-2.713 2.713c0 1.499 1.214 2.714 2.713 2.714z" fill="#28323f"/>
-    <defs>
-        <image id="_Image2" width="25px" height="29px" xlink:href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABkAAAAdCAYAAABfeMd1AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAAa0lEQVRIiWP8U1b2n4HGgInWFgwvS1gYhOhgCbMp7S0ZPnFCp4gXpYclivSwhA4BNowi/vBzZtpbsuUBK80tGT5xQqcc/y6UDpZ806G5JcMoThj/07xFxMBid+sE7S1h+/ub5pYMn4iniyUAs5sPQ3yZHVsAAAAASUVORK5CYII="/>
-    </defs>
-</svg>

docs/basics/common-threats.en.md

@@ -38,7 +38,7 @@ To minimize the potential damage that a malicious piece of software can do, you
 
     Mobile operating systems are generally safer than desktop operating systems when it comes to application sandboxing. Apps cannot obtain root access and only have access to system resources which you grant them.
 
-    Desktop operating systems generally lag behind on proper sandboxing. Chrome OS has similar sandboxing properties to Android, and macOS has full system permission control and opt-in (for developers) sandboxing for applications, however these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make heavy use of virtual machines or containers, such as Qubes OS.
+    Desktop operating systems generally lag behind on proper sandboxing. ChromeOS has similar sandboxing properties to Android, and macOS has full system permission control and opt-in (for developers) sandboxing for applications, however these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make heavy use of virtual machines or containers, such as Qubes OS.
 
 <span class="pg-red">:material-target-account: Targeted Attacks</span>
 

docs/basics/multi-factor-authentication.en.md

@@ -1,8 +1,8 @@
 ---
-title: "Multifactor Authentication"
+title: "Multi-factor Authentication"
 icon: 'material/two-factor-authentication'
 ---
-**Multifactor authentication** is a security mechanism that requires additional steps beyond entering your username (or email) and password. The most common method is time limited codes you might receive from SMS or an app.
+**Multi-factor authentication** is a security mechanism that requires additional steps beyond entering your username (or email) and password. The most common method is time limited codes you might receive from SMS or an app.
 
 Normally, if a hacker (or adversary) is able to figure out your password then they’d gain access to the account that password belongs to. An account with MFA forces the hacker to have both the password (something you *know*) and a device that you own (something you *have*), like your phone.
 
@@ -40,7 +40,7 @@ Although not perfect, TOTP is secure enough for most people, and when [hardware
 
 The YubiKey stores data on a tamper-resistant solid-state chip which is [impossible to access](https://security.stackexchange.com/a/245772) non-destructively without an expensive process and a forensics laboratory.
 
-These keys are generally multifunction and provide a number of methods to authenticate. Below are the most common ones.
+These keys are generally multi-function and provide a number of methods to authenticate. Below are the most common ones.
 
 #### Yubico OTP
 
@@ -116,7 +116,7 @@ If you use SMS MFA, use a carrier who will not switch your phone number to a new
 
 ## More Places to Set Up MFA
 
-Beyond just securing your website logins, multifactor authentication can be used to secure your local logins, SSH keys or even password databases as well.
+Beyond just securing your website logins, multi-factor authentication can be used to secure your local logins, SSH keys or even password databases as well.
 
 ### Windows
 
@@ -156,7 +156,7 @@ SSH MFA could be set up using multiple different authentication methods that are
 
 #### Time-based One-time Password (TOTP)
 
-SSH MFA can also be set up using TOTP. DigitalOcean has provided a tutorial [How To Set Up MultiFactor Authentication for SSH on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). Most things should be the same regardless of distribution, however the package manager commands—such as `apt-get`—and package names may differ.
+SSH MFA can also be set up using TOTP. DigitalOcean has provided a tutorial [How To Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). Most things should be the same regardless of distribution, however the package manager commands—such as `apt-get`—and package names may differ.
 
 ### KeePass (and KeePassXC)
 

docs/basics/vpn-overview.en.md

@@ -39,7 +39,7 @@ By using a VPN with Tor, you're creating essentially a permanent entry node, oft
 
 VPNs cannot provide anonymity. Your VPN provider will still see your real IP address, and often has a money trail that can be linked directly back to you. You cannot rely on "no logging" policies to protect your data. Use [Tor](https://www.torproject.org/) instead.
 
-## What about VPN providers that provides Tor nodes?
+## What about VPN providers that provide Tor nodes?
 
 Do not use that feature. The point of using Tor is that you do not trust your VPN provider. Currently Tor only supports the [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) protocol. [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (used in [WebRTC](https://en.wikipedia.org/wiki/WebRTC) for voice and video sharing, the new [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3) protocol, etc), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) and other packets will be dropped. To compensate for this, VPN providers typically will route all non-TCP packets through their VPN server (your first hop). This is the case with [ProtonVPN](https://protonvpn.com/support/tor-vpn/). Additionally, when using this Tor over VPN setup, you do not have control over other important Tor features such as [Isolated Destination Address](https://www.whonix.org/wiki/Stream_Isolation) (using a different Tor circuit for every domain you visit).
 

docs/desktop-browsers.en.md

@@ -1,10 +1,8 @@
 ---
-title: "Web Browsers"
+title: "Desktop Browsers"
 icon: octicons/browser-16
 ---
-These are our currently recommended web browsers and configurations. In general, we recommend keeping extensions to a minimum: they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation.
+These are our currently recommended desktop web browsers and configurations. In general, we recommend keeping extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation.
-
-## General Recommendations
 
 ### Tor Browser
 
@@ -30,15 +28,11 @@ These are our currently recommended web browsers and configurations. In general,
         - [:fontawesome-brands-apple: macOS](https://www.torproject.org/download/)
         - [:fontawesome-brands-linux: Linux](https://www.torproject.org/download/)
         - [:pg-flathub: Flatpak](https://flathub.org/apps/details/com.github.micahflee.torbrowser-launcher)
-        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser)
-        - [:pg-f-droid: F-Droid](https://guardianproject.info/fdroid/)
 
 !!! danger
 
     You should **never** install any additional extensions on Tor Browser, including the ones we suggest for Firefox. Nor should you manually enable HTTPS-only mode or edit `about:config` settings. Browser extensions and non-standard settings make you stand out from others on the Tor network, thus making your browser easier to [fingerprint](https://support.torproject.org/glossary/browser-fingerprinting).
 
-## Desktop Recommendations
-
 ### Firefox
 
 !!! recommendation
@@ -125,8 +119,6 @@ The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of ca
 
     Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues.
 
-    We don't recommend Brave's mobile browser offerings as there are better [options](#mobile-recommendations) for mobile platforms.
-
     [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary }
     [:pg-tor:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title=Onion }
     [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" }
@@ -155,6 +147,7 @@ Shields' options can be downgraded on a per-site basis as needed, but by default
 
 <div class="annotate" markdown>
 
+- [x] Select **Prevent sites from fingerprinting me based on my language preferences**
 - [x] Select **Aggressive** under Trackers & ads blocking
 
     ??? warning "Use default filter lists"
@@ -216,106 +209,6 @@ Under the *System* menu
 
 1. This option is not present on all platforms.
 
-## Mobile Recommendations
-
-On Android, Firefox is still less secure than Chromium-based alternatives: Mozilla's engine, [GeckoView](https://mozilla.github.io/geckoview/), has yet to support [site isolation](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) or enable [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196).
-
-On iOS, any app that can browse the web is [restricted](https://developer.apple.com/app-store/review/guidelines) to using an Apple-provided [WebKit framework](https://developer.apple.com/documentation/webkit), so there is little reason to use a third-party web browser.
-
-### Bromite
-
-!!! recommendation
-
-    ![Bromite logo](assets/img/browsers/bromite.svg){ align=right }
-
-    **Bromite** is a Chromium-based browser with privacy and security enhancements, built-in ad blocking, and some fingerprinting randomization.
-
-    [:octicons-home-16: Homepage](https://www.bromite.org){ .md-button .md-button--primary }
-    [:octicons-eye-16:](https://www.bromite.org/privacy){ .card-link title="Privacy Policy" }
-    [:octicons-info-16:](https://github.com/bromite/bromite/wiki){ .card-link title=Documentation}
-    [:octicons-code-16:](https://github.com/bromite/bromite){ .card-link title="Source Code" }
-    [:octicons-heart-16:](https://github.com/bromite/bromite#donate){ .card-link title=Contribute }
-
-    ??? downloads annotate
-
-        - [:pg-f-droid: F-Droid](https://www.bromite.org/fdroid) (1)
-
-    1. If you use [Neo Store](/android/#neo-store), you can enable the *Bromite repository* in:<br> :material-dots-vertical: → **Repositories**
-
-These options can be found in :material-menu: → :gear: **Settings** → **Privacy and security**.
-
-#### Recommended Configuration
-
-##### HTTPS-Only Mode
-
-- [x] Select **Always use secure connections**
-
-This prevents you from unintentionally connecting to a website in plain-text HTTP. The HTTP protocol is extremely uncommon nowadays, so this should have little to no impact on your day to day browsing.
-
-##### Always-on Incognito Mode
-
-- [x] Select **Always open links in incognito** in the **Incognito mode** menu
-- [x] Select **Close all open tabs on exit**
-- [x] Select **Open external links in incognito**
-
-### Safari
-
-!!! recommendation
-
-    ![Safari logo](assets/img/browsers/safari.svg){ align=right }
-
-    **Safari** is the default browser in iOS. It includes [privacy features](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) such as Intelligent Tracking Protection, Privacy Report, isolated Private Browsing tabs, iCloud Private Relay, and automatic HTTPS upgrades.
-
-    [:octicons-home-16: Homepage](https://www.apple.com/safari/){ .md-button .md-button--primary }
-    [:octicons-eye-16:](https://www.apple.com/legal/privacy/data/en/safari/){ .card-link title="Privacy Policy" }
-    [:octicons-info-16:](https://support.apple.com/guide/safari/welcome/mac){ .card-link title=Documentation}
-
-#### Recommended Configuration
-
-These options can be found in :gear: **Settings** → **Safari** → **Privacy and Security**.
-
-##### Cross-Site Tracking Prevention
-
-- [x] Enable **Prevent Cross-Site Tracking**
-
-This enables WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp). The feature helps protect against unwanted tracking by using on-device machine learning to stop trackers. ITP protects against many common threats, but it does not block all tracking avenues because it is designed to not interfere with website usability.
-
-##### Privacy Report
-
-Privacy Report provides a snapshot of cross-site trackers currently prevented from profiling you on the website you're visiting. It can also display a weekly report to show which trackers have been blocked over time.
-
-Privacy Report is accessible via the Page Settings menu (:pg-textformat-size:).
-
-##### Privacy Preserving Ad Measurement
-
-- [ ] Disable **Privacy Preserving Ad Measurement**
-
-Ad click measurement has traditionally used tracking technology that infringes on user privacy. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) is a WebKit feature and proposed web standard aimed towards allowing advertisers to measure the effectiveness of web campaigns without compromising on user privacy.
-
-The feature has little privacy concerns on its own, so while you can choose to leave it on, we consider the fact that it's automatically disabled in Private Browsing to be an indicator for disabling the feature.
-
-##### Apple Pay
-
-If you do not use Apple Pay, you can toggle off the ability for websites to check for it.
-
-- [ ] Disable **Allow websites to check for Apple Pay and Apple Card**
-
-##### Always-on Private Browsing
-
-Open Safari and tap the Tabs button, located in the bottom right. Then, expand the Tab Groups list.
-
-- [x] Select **Private**
-
-Safari's Private Browsing mode offers additional privacy protections. Private Browsing uses a new [ephemeral](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) session for each tab, meaning tabs are isolated from one another. There are also other smaller privacy benefits with Private Browsing, such as not sending a webpage’s address to Apple when using Safari's translation feature.
-
-Do note that Private Browsing does not save cookies and website data, so it won't be possible to remain signed into sites. This may be an inconvenience.
-
-##### iCloud Sync
-
-Synchronization of Safari History, Tab Groups, iCloud Tabs and saved passwords are E2EE. However, bookmarks are [not](https://support.apple.com/en-us/HT202303). Apple can decrypt and access them in accordance with their [privacy policy](https://www.apple.com/legal/privacy/en-ww/).
-
-If you use iCloud, we also recommend checking to ensure Safari's default download location is set to locally on your device. This option can be found in :gear: **Settings** → **Safari** → **General** → **Downloads**.
-
 ## Additional Resources
 
 We generally do not recommend installing any extensions as they increase your attack surface. However, uBlock Origin or AdGuard may prove useful if you value content blocking functionality.
@@ -339,28 +232,7 @@ We generally do not recommend installing any extensions as they increase your at
         - [:fontawesome-brands-chrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm)
         - [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak)
 
-We suggest leaving the extension in its default configuration. Additional filter lists can impact performance and may increase attack surface, so only apply what you need. If there is a [vulnerability in uBlock Origin](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css) a third-party filter could add malicious rules that can potentially steal user data.
+We suggest following the [developer's documentation](https://github.com/gorhill/uBlock/wiki/Blocking-mode) and picking one of the "modes". Additional filter lists can impact performance and may increase attack surface, so only apply what you need. If there is a [vulnerability in uBlock Origin](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css) a third-party filter could add malicious rules that can potentially steal user data.
-
-### AdGuard for iOS
-
-!!! recommendation
-
-    ![AdGuard logo](assets/img/browsers/adguard.svg){ align=right }
-
-    **AdGuard for iOS** is a free and open-source content-blocking extension for Safari that uses the native [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker).
-
-    AdGuard for iOS has some premium features, however standard Safari content blocking is free of charge.
-
-    [:octicons-home-16: Homepage](https://adguard.com/en/adguard-ios/overview.html){ .md-button .md-button--primary }
-    [:octicons-eye-16:](https://adguard.com/privacy/ios.html){ .card-link title="Privacy Policy" }
-    [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=Documentation}
-    [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Source Code" }
-
-    ??? downloads
-
-        - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/app/apple-store/id1047223162)
-
-Additional filter lists do slow things down and may increase your attack surface, so only apply what you need.
 
 ### Snowflake
 

docs/email.en.md

@@ -240,7 +240,7 @@ Using an aliasing service requires trusting both your email provider and your al
         - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app)
         - [:fontawesome-brands-android: Android](https://anonaddy.com/faq/#is-there-an-android-app)
 
-The number of shared aliases (which end in a shared domain like @anonaddy.me) that you can create is limited to 20 on AnonAddy's free plan and 50 on their $12/month plan. You can create unlimited standard aliases (which end in a domain like @[username].anonaddy.com or a custom domain on paid plans), however, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. Unlimited shared aliases are available for $36/year.
+The number of shared aliases (which end in a shared domain like @anonaddy.me) that you can create is limited to 20 on AnonAddy's free plan and 50 on their $12/year plan. You can create unlimited standard aliases (which end in a domain like @[username].anonaddy.com or a custom domain on paid plans), however, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. Unlimited shared aliases are available for $36/year.
 
 Notable free features:
 
@@ -274,6 +274,8 @@ Notable free features:
 
 SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit/) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf).
 
+You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Unlimited, Business or Visionary Plan, you will have SimpleLogin Premium for free.
+
 Notable free features:
 
 - [x] 15 Shared Aliases

docs/file-sharing.en.md

@@ -6,24 +6,6 @@ Discover how to privately share your files between your devices, with your frien
 
 ## File Sharing
 
-### Magic Wormhole
-
-!!! recommendation
-
-    ![Magic Wormhole logo](assets/img/file-sharing-sync/magic_wormhole.png){ align=right }
-
-    **Magic Wormhole** is a package that provides a library and a command-line tool named wormhole, which makes it possible to get arbitrary-sized files and directories (or short pieces of text) from one computer to another.
-
-    [:octicons-repo-16: Repository](https://github.com/magic-wormhole/magic-wormhole){ .md-button .md-button--primary }
-    [:octicons-info-16:](https://magic-wormhole.readthedocs.io/){ .card-link title=Documentation}
-    [:octicons-code-16:](https://github.com/magic-wormhole/magic-wormhole){ .card-link title="Source Code" }
-
-    ??? downloads
-
-        - [:fontawesome-brands-windows: Windows](https://magic-wormhole.readthedocs.io/en/latest/welcome.html#installation)
-        - [:fontawesome-brands-apple: macOS](https://magic-wormhole.readthedocs.io/en/latest/welcome.html#macos-os-x)
-        - [:fontawesome-brands-linux: Linux](https://magic-wormhole.readthedocs.io/en/latest/welcome.html#installation)
-
 ### Bitwarden Send
 
 !!! recommendation

docs/linux-desktop.en.md

@@ -54,7 +54,7 @@ Tumbleweed follows a rolling release model where each update is released as a sn
 
 Arch Linux has a rolling release cycle. There is no fixed release schedule and packages are updated very frequently.
 
-Being a DIY distribution, you are [expected to set up and maintain](#arch-based-distributions) your system on your own. Arch has an [official installer](https://wiki.archlinux.org/title/Archinstall) to make the installation process a little easier.
+Being a DIY distribution, you are [expected to set up and maintain](linux-desktop/overview.md#arch-based-distributions) your system on your own. Arch has an [official installer](https://wiki.archlinux.org/title/Archinstall) to make the installation process a little easier.
 
 A large portion of [Arch Linux’s packages](https://reproducible.archlinux.org) are [reproducible](https://reproducible-builds.org).
 
@@ -116,13 +116,13 @@ Nix is a source-based package manager; if there’s no pre-built available in th
     [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=Documentation}
     [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=Contribute }
 
-Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation has to go through the Tor gateway and will be routed through the Tor Network.
+Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. This means that even if the Workstation is compromised by malware of some kind, the true IP address remains hidden.
 
 Some of its features include Tor Stream Isolation, [keystroke anonymization](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [encrypted swap](https://github.com/Whonix/swap-file-creator), and a hardened memory allocator.
 
 Future versions of Whonix will likely include [full system AppArmor policies](https://github.com/Whonix/apparmor-profile-everything) and a [sandbox app launcher](https://www.whonix.org/wiki/Sandbox-app-launcher) to fully confine all processes on the system.
 
-Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers).
+Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers), Qubes-Whonix has various [disadvantages](https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581) when compared to other hypervisors.
 
 ### Tails
 
@@ -140,4 +140,6 @@ Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qube
 
 By design, Tails is meant to completely reset itself after each reboot. Encrypted [persistent storage](https://tails.boum.org/doc/first_steps/persistence/index.en.html) can be configured to store some data.
 
+Tails is great for counter forensics due to amnesia (meaning nothing is written to the disk); however, it is not a hardened distribution like Whonix. It lacks many anonymity and security features that Whonix has and gets updated much less often (only once every six weeks). A Tails system that is compromised by malware may potentially bypass the transparent proxy allowing for the user to be deanonymized.
+
 --8<-- "includes/abbreviations.en.md"

docs/linux-desktop/hardening.en.md

@@ -10,9 +10,14 @@ A [firewall](https://en.wikipedia.org/wiki/Firewall_(computing)) may be used to
 
 Red Hat distributions (such as Fedora) are typically configured through [firewalld](https://en.wikipedia.org/wiki/Firewalld). Red Hat has plenty of [documentation](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/using-and-configuring-firewalld_configuring-and-managing-networking) regarding this topic. There is also the [Uncomplicated Firewall](https://en.wikipedia.org/wiki/Uncomplicated_Firewall) which can be used as an alternative.
 
-Consider blocking all ports which are **not** [well-known](https://en.wikipedia.org/wiki/Well-known_port#Well-known_ports) or “privileged ports.” That is, ports from 1025 up to 65535. Block both [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) and [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) after the operating system is installed.
+You could also set your default firewall zone to drop packets. If you're on a Redhat based distribution, such as Fedora this can be done with the following commands:
 
-If you use Fedora, consider removing the whitelist for [smb](https://en.wikipedia.org/wiki/Server_Message_Block)-client and [mdns](https://en.wikipedia.org/wiki/Multicast_DNS) services if you do not use them.
+!!! Example
+    ```
+    firewall-cmd --set-default-zone=drop;
+    firewall-cmd --add-protocol=ipv6-icmp --permanent;
+    firewall-cmd --add-service=dhcpv6-client --permanent;
+    ```
 
 All these firewalls use the [Netfilter](https://en.wikipedia.org/wiki/Netfilter) framework and therefore cannot protect against malicious programs running on the system. A malicious program could insert its own rules.
 
@@ -22,13 +27,14 @@ If you are using non-classic [Snap](https://en.wikipedia.org/wiki/Snap_(package_
 
 ## Kernel hardening
 
-There are some additional kernel hardening options such as configuring [sysctl](https://en.wikipedia.org/wiki/Sysctl#Linux) keys and [kernel command-line parameters](https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html) which are described in the following pages. We don’t recommend you change these options unless you learn about what they do.
+Kernel hardening options such as configuring [sysctl](https://en.wikipedia.org/wiki/Sysctl#Linux) keys and [kernel command-line parameters](https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html) can help harden your system. We suggest looking at the following [sysctl settings](https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl) and [boot parameters](https://madaidans-insecurities.github.io/guides/linux-hardening.html#boot-parameters).
 
-- [Recommended sysctl settings](https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl)
+We **strongly** recommend that you learn what these options do before applying them. There are also some methods of [kernel attack surface reduction](https://madaidans-insecurities.github.io/guides/linux-hardening.html#kernel-attack-surface-reduction) and [access restrictions to sysfs](https://madaidans-insecurities.github.io/guides/linux-hardening.html#restricting-sysfs) that can further improve security.
-- [Recommended boot parameters](https://madaidans-insecurities.github.io/guides/linux-hardening.html#boot-parameters)
-- [Additional recommendations to reduce the kernel's attack surface](https://madaidans-insecurities.github.io/guides/linux-hardening.html#kernel-attack-surface-reduction)
 
-Do **not** disable unprivileged user namespaces if you use software that relies on it, like: Podman, Docker and LXC containers. The option will prevent this software from working.
+!!! Note
+    Unprivileged [user namespaces](https://madaidans-insecurities.github.io/linux.html#kernel) can be disabled, due to it being responsible for various privileged escalation vulnerabilities. Some software such as Docker, Podman, and LXC require unprivileged user namespaces to function. If you use these tools you should not disable `kernel.unprivileged_userns_clone`.
+
+    Disabling access to `/sys` without a proper whitelist will lead to various applications breaking. This will unfortunately be an extremely tedious process for most users. Kicksecure, and by extension, Whonix, has an experimental [hide hardware info service](https://github.com/Kicksecure/security-misc/blob/master/lib/systemd/system/hide-hardware-info.service) which does just this. From our testing, these work perfectly fine on minimal Kicksecure installations and both Qubes-Whonix Workstation and Gateway. If you are using Kicksecure or Whonix, we recommend that you follow the [Kicksecure Wiki](https://www.kicksecure.com/wiki/Security-misc) to enable hide hardware info service.
 
 ## Linux-Hardened
 
@@ -38,11 +44,13 @@ Some distributions like Arch Linux have the [linux-hardened](https://github.com/
 
 LKRG is a kernel module that performs runtime integrity check on the kernel to help detect exploits against the kernel. LKRG works in a *post*-detect fashion, attempting to respond to unauthorized modifications to the running Linux kernel. While it is [bypassable by design](https://lkrg.org/), it does stop off-the-shelf malware that does not specifically target LKRG itself. This may make exploits harder to develop and execute on vulnerable systems.
 
-If you can get LKRG and maintain module updates it provides a worthwhile improvement to security. Debian based distributions can get the LKRG DKMS from KickSecure's secure repository and the [KickSecure documentation](https://www.kicksecure.com/wiki/Linux_Kernel_Runtime_Guard_LKRG) has instructions on how this can be achieved. There is no LKRG package for Fedora yet, however the Qubes OS project has a COPR repository which [may become](https://github.com/QubesOS/qubes-issues/issues/5461) part of the main distribution in the future. Archlinux based systems provide LKRG DKMS modules via an [AUR package](https://aur.archlinux.org/packages/lkrg-dkms).
+If you can get LKRG and maintain module updates, it provides a worthwhile improvement to security. Debian based distributions can get the LKRG DKMS package from KickSecure's secure repository and the [KickSecure documentation](https://www.kicksecure.com/wiki/Linux_Kernel_Runtime_Guard_LKRG) has instructions.
+
+On Fedora, [fepitre](https://github.com/fepitre), a QubesOS developer has a [COPR repository](https://copr.fedorainfracloud.org/coprs/fepitre/lkrg/) where you can install it. Arch based systems can obtain the LKRG DKMS package via an [AUR package](https://aur.archlinux.org/packages/lkrg-dkms).
 
 ## GRSecurity
 
-GRSecurity is a set of kernel patches that attempt to improve security of the Linux kernel.  It requires [payment to access](https://github.com/QubesOS/qubes-issues/issues/5461) the code.
+GRSecurity is a set of kernel patches that attempt to improve security of the Linux kernel. It requires [payment to access](https://grsecurity.net/purchase) the code and is worth using if you have a subscription.
 
 ## Simultaneous multithreading (SMT)
 
@@ -66,9 +74,25 @@ These flags could also be applied to `/home` and `/root` as well, however, `noex
 
 If you use [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/), `/var/log/journal` must not have any of those options. If you are on Arch Linux, do not apply `noexec` to `/var/tmp`.
 
+## Disabling SUID
+
+SUID allows a user to execute an application as the owner of that application, which in many cases, would be the `root` user. Vulnerable SUID executables could lead to privilege escalation vulnerabilities.
+
+It is desirable to remove SUID from as many binaries as possible; however, this takes substantial effort and trial and error on the user's part, as some applications require SUID to function.
+
+Kicksecure, and by extension, Whonix has an experimental [permission hardening service](https://github.com/Kicksecure/security-misc/blob/master/lib/systemd/system/permission-hardening.service) and [application whitelist](https://github.com/Kicksecure/security-misc/tree/master/etc/permission-hardening.d) to automate SUID removal from most binaries and libraries on the system. From our testing, these work perfectly fine on a minimal Kicksecure installation and both Qubes-Whonix Workstation and Gateway.
+
+If you are using Kicksecure or Whonix, we recommend that you follow the [Kicksecure Wiki](https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener) to enable the permission hardener.
+
+Users of other distributions can adapt the permission hardener to their own system based on the source code linked above.
+
+## Secure Time Synchronization
+
+Most Linux distributions by default (especially Arch based distributions with `systemd-timesyncd`) use un-encrypted NTP for time synchronization. Securing NTP can be achieved by [configuring NTS with chronyd](https://fedoramagazine.org/secure-ntp-with-nts/) or by using [swdate](https://github.com/Kicksecure/sdwdate) on Debian based distributions.
+
 ## Linux Pluggable Authentication Modules (PAM)
 
-There is also further hardening to [PAM](https://en.wikipedia.org/wiki/Linux_PAM) to secure authentication to your system. [This guide](https://madaidans-insecurities.github.io/guides/linux-hardening.html#pam) has some tips on this.
+The security of [PAM](https://en.wikipedia.org/wiki/Linux_PAM) can be [hardened](https://madaidans-insecurities.github.io/guides/linux-hardening.html#pam) to allow secure authentication to your system.
 
 On Red Hat distributions you can use [`authselect`](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_authentication_and_authorization_in_rhel/configuring-user-authentication-using-authselect_configuring-authentication-and-authorization-in-rhel) to configure this e.g.:
 
@@ -86,26 +110,26 @@ Another alternative option if you’re using the [linux-hardened](#linux-hardene
 
 ## Secure Boot
 
-[Secure Boot](https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#Secure_Boot) can be used to secure the boot process by preventing the loading of [unsigned](https://en.wikipedia.org/wiki/Public-key_cryptography) [UEFI](https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface) drivers or [boot loaders](https://en.wikipedia.org/wiki/Bootloader). Some guidance for this is provided in [this physical security guide](https://madaidans-insecurities.github.io/guides/linux-hardening.html#physical-security) and [this verified boot guide](https://madaidans-insecurities.github.io/guides/linux-hardening.html#verified-boot).
+[Secure Boot](https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#Secure_Boot) can be used to secure the boot process by preventing the loading of [unsigned](https://en.wikipedia.org/wiki/Public-key_cryptography) [UEFI](https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface) drivers or [boot loaders](https://en.wikipedia.org/wiki/Bootloader).
 
-For further resources on Secure Boot, we suggest taking a look at the following for instructional advice:
+One of the problems with Secure Boot, particularly on Linux is, that only the [chainloader](https://en.wikipedia.org/wiki/Chain_loading#Chain_loading_in_boot_manager_programs) (shim), the [boot loader](https://en.wikipedia.org/wiki/Bootloader) (GRUB), and the [kernel](https://en.wikipedia.org/wiki/Kernel_(operating_system)) are verified and that's where verification stops. The [initramfs](https://en.wikipedia.org/wiki/Initial_ramdisk) is often left unverified, unencrypted, and open up the window for an [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attack. The firmware on most devices is also configured to trust Microsoft's keys for Windows and its partners, leading to a large attacks surface.
 
-- The Archwiki’s [Secure Boot](https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot) article. There are two main methods, the first is to use a [shim](https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#shim), the second more complete way is to [use your own keys](https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Using_your_own_keys).
+To eliminate the need to trust Microsoft's keys, follow the "Using your own keys" section on the [Arch Wiki](https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot). The important thing that needs to be done here is to replace the OEM's key with your own Platform Key.
 
-For the background of how Secure Boot works on Linux:
+There are several ways to work around the unverified initramfs:
 
-- [The Strange State of Authenticated Boot and Disk Encryption on Generic Linux Distributions](https://0pointer.net/blog/authenticated-boot-and-disk-encryption-on-linux.html)
+The first way is to [encrypt the /boot partition](https://wiki.archlinux.org/title/GRUB#Encrypted_/boot). If you are on Fedora Workstation (not Silverblue), you can follow [this guide](https://mutschler.eu/linux/install-guides/fedora-btrfs-33/) to convert the existing installation to encrypted `/boot`. openSUSE comes with this that by default.
-- [Rod Smith’s Managing EFI Boot Loaders for Linux](https://www.rodsbooks.com/efi-bootloaders/)
-- [Dealing with Secure Boot](https://www.rodsbooks.com/efi-bootloaders/secureboot.html)
-- [Controlling Secure Boot](https://www.rodsbooks.com/efi-bootloaders/controlling-sb.html)
 
-One of the problems with Secure Boot particularly on Linux is that only the [chainloader](https://en.wikipedia.org/wiki/Chain_loading#Chain_loading_in_boot_manager_programs) (shim), the [boot loader](https://en.wikipedia.org/wiki/Bootloader) (GRUB), and the [kernel](https://en.wikipedia.org/wiki/Kernel_(operating_system)) are verified and that’s where verification stops. The [initramfs](https://en.wikipedia.org/wiki/Initial_ramdisk) is often left unverified, unencrypted, and open up the window for an [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attack. There are a few things that can be done to reduce risk such as:
+Encrypting `/boot` however have its own issues, one being that [GRUB](https://en.wikipedia.org/wiki/GNU_GRUB) only supports [LUKS1](https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup) and not the newer default LUKS2 scheme. As the bootloader runs in [protected mode](https://en.wikipedia.org/wiki/Protected_mode) and the encryption module lacks [SSE acceleration](https://en.wikipedia.org/wiki/Streaming_SIMD_Extensions) so the boot process will take minutes to complete. Another problem with this is that you have to type the encryption password twice, which could be solved by following the [openSUSE Wiki](https://en.opensuse.org/SDB:Encrypted_root_file_system#Avoiding_to_type_the_passphrase_twice).
 
-- Creating an [EFI Boot Stub](https://docs.kernel.org/admin-guide/efi-stub.html) that contains the [kernel](https://en.wikipedia.org/wiki/Kernel_(operating_system)), [initramfs](https://en.wikipedia.org/wiki/Initial_ramdisk) and [microcode](https://en.wikipedia.org/wiki/Microcode). This EFI stub can then be signed. If you use [dracut](https://en.wikipedia.org/wiki/Dracut_(software)) this can easily be done with the [`--uefi-stub` switch](https://man7.org/linux/man-pages/man8/dracut.8.html) or the [`uefi_stub` config](https://www.man7.org/linux/man-pages/man5/dracut.conf.5.html) option.
+There are a few options depending on your configuration:
-- [Encrypting the boot partition](https://wiki.archlinux.org/title/GRUB#Encrypted_/boot). However, this has its own issues, the first being that [GRUB](https://en.wikipedia.org/wiki/GNU_GRUB) only supports [LUKS1](https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup) and not the newer default LUKS2 scheme. As the bootloader runs in [protected mode](https://en.wikipedia.org/wiki/Protected_mode) and the encryption module lacks [SSE acceleration](https://en.wikipedia.org/wiki/Streaming_SIMD_Extensions) the boot process will take minutes to complete.
-- Using TPM to perform a [measured boot](https://www.krose.org/~krose/measured_boot).
 
-After setting up Secure Boot it is crucial that you set a “firmware password” (also called a “supervisor password, “BIOS password” or “UEFI password”), otherwise an adversary can simply disable Secure Boot.
+- If you enroll your own keys as described above, and your distribution supports Secure Boot by default, you can add your distribution's EFI Key into the list of trusted keys (db keys). It can then be enrolled into the firmware. Then, you should move all of your keys off your local storage device.
+- If you enroll your own keys as described above, and your distribution does **not** support Secure Boot out of the box (like Arch Linux), you have to leave the keys on the disk and setup automatic signing of the [kernel](https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Signing_the_kernel_with_a_pacman_hook) and bootloader. If you are using Grub, you can install it with the `--no-shim-lock` option and remove the need for the chainloader.
+
+The second option is to creating an [EFI Boot Stub](https://wiki.archlinux.org/title/Unified_kernel_image) that contains the [kernel](https://en.wikipedia.org/wiki/Kernel_(operating_system)), [initramfs](https://en.wikipedia.org/wiki/Initial_ramdisk), and [microcode](https://en.wikipedia.org/wiki/Microcode). This EFI stub can then be signed. If you use [dracut](https://en.wikipedia.org/wiki/Dracut_(software)) this can easily be done with the [`--uefi-stub` switch](https://man7.org/linux/man-pages/man8/dracut.8.html) or the [`uefi_stub` config](https://www.man7.org/linux/man-pages/man5/dracut.conf.5.html) option. This option also requires you to leave the keys on the disk to setup automatic signing, which weakens the security model.
+
+After setting up Secure Boot it is crucial that you set a “firmware password” (also called a “supervisor password”, “BIOS password” or “UEFI password”), otherwise an adversary can simply disable Secure Boot.
 
 These recommendations can make you a little more resistant to [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attacks, but they not good as a proper verified boot process such as that found on [Android](https://source.android.com/security/verifiedboot), [ChromeOS](https://support.google.com/chromebook/answer/3438631) or [Windows](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process).
 

docs/linux-desktop/overview.en.md

@@ -2,7 +2,7 @@
 title: Linux Overview
 icon: fontawesome/brands/linux
 ---
-It is often believed that [open-source](https://en.wikipedia.org/wiki/Open-source_software) software is inherently secure because the source code is available. There is an expectation that community verification occurs regularly; however, this isn’t always [the case](https://seirdy.one/2022/02/02/floss-security.html). It does depend on a number of factors, such as project activity, developer experience, level of rigour applied to [code reviews](https://en.wikipedia.org/wiki/Code_review), and how often attention is given to specific parts of the [codebase](https://en.wikipedia.org/wiki/Codebase) that may go untouched for years.
+It is often believed that [open-source](https://en.wikipedia.org/wiki/Open-source_software) software is inherently secure because the source code is available. There is an expectation that community verification occurs regularly; however, this isn’t always [the case](https://seirdy.one/posts/2022/02/02/floss-security/). It does depend on a number of factors, such as project activity, developer experience, level of rigour applied to [code reviews](https://en.wikipedia.org/wiki/Code_review), and how often attention is given to specific parts of the [codebase](https://en.wikipedia.org/wiki/Codebase) that may go untouched for years.
 
 At the moment, desktop GNU/Linux does have some areas that could be better improved when compared to their proprietary counterparts, e.g.:
 
@@ -56,7 +56,7 @@ There is often some confusion about “security-focused” distributions and “
 
 ### Arch-based distributions
 
-Arch based distributions are not recommended for those new to Linux, regardless of the distribution. Arch does not have an distribution update mechanism for the underlying software choices. As a result you have to stay aware with current trends and adopt technologies as they supersede older practices on your own.
+Arch based distributions are not recommended for those new to Linux, (regardless of distribution) as they require regular [system maintenance](https://wiki.archlinux.org/title/System_maintenance). Arch does not have an distribution update mechanism for the underlying software choices. As a result you have to stay aware with current trends and adopt technologies as they supersede older practices on your own.
 
 For a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a [mandatory access control](https://en.wikipedia.org/wiki/Mandatory_access_control) system, setting up [kernel module](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) blacklists, hardening boot parameters, manipulating [sysctl](https://en.wikipedia.org/wiki/Sysctl) parameters, and knowing what components they need such as [Polkit](https://en.wikipedia.org/wiki/Polkit).
 
@@ -67,6 +67,10 @@ If you are experienced with Linux and wish to use an Arch-based distribution, we
 - **Manjaro**: This distribution holds packages back for 2 weeks to make sure that their own changes don’t break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest [libraries](https://en.wikipedia.org/wiki/Library_(computing)) from Arch’s repositories.
 - **Garuda**: They use [Chaotic-AUR](https://aur.chaotic.cx/) which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages don’t suffer from supply chain attacks.
 
+### Kicksecure
+
+While we strongly recommend against using outdated distributions like Debian, if you decide to use it, we suggest that you [convert](https://www.kicksecure.com/wiki/Debian) it into [Kicksecure](https://www.kicksecure.com/). Kicksecure, in oversimplified terms, is a set of scripts, configurations, and packages that substantially reduce the attack surface of Debian. It covers a lot of privacy and hardening recommendations by default.
+
 ### Linux-libre kernel and “Libre” distributions
 
 We strongly recommend **against** using the Linux-libre kernel, since it [removes security mitigations](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) and [suppresses kernel warnings](https://news.ycombinator.com/item?id=29674846) about vulnerable microcode for ideological reasons.

docs/mobile-browsers.en.md

@@ -0,0 +1,154 @@
+---
+title: "Mobile Browsers"
+icon: octicons/device-mobile-16
+---
+These are our currently recommended mobile web browsers and configurations. In general, we recommend keeping extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation.
+
+## Android
+
+On Android, Firefox is still less secure than Chromium-based alternatives: Mozilla's engine, [GeckoView](https://mozilla.github.io/geckoview/), has yet to support [site isolation](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) or enable [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196).
+
+### Brave
+
+!!! recommendation
+
+    ![Brave logo](assets/img/browsers/brave.svg){ align=right }
+
+    **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default.
+
+    Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues.
+
+    [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary }
+    [:pg-tor:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title=Onion }
+    [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" }
+    [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation}
+    [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" }
+
+    ??? downloads annotate
+
+        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser)
+
+#### Recommended Configuration
+
+Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](#tor-browser) will be traceable by *somebody* in some regard or another.
+
+These options can be found in :material-menu: → **Settings** → **Brave Shields & privacy**
+
+##### Shields
+
+Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit.
+
+Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following:
+
+<div class="annotate" markdown>
+
+- [x] Select **Aggressive** under Block trackers & ads
+
+    ??? warning "Use default filter lists"
+        Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use.
+
+- [x] (Optional) Select **Block Scripts** (1)
+- [x] Select **Strict, may break sites** under Block fingerprinting
+
+</div>
+
+1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension.
+
+##### Social Media Blocking
+
+- [ ] Uncheck all social media components
+
+##### IPFS
+
+InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it.
+
+- [ ] Uncheck **IPFS Gateway**
+
+##### Other privacy settings
+
+- [x] Select **Disable Non-Proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc)
+- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)**
+- [ ] Uncheck **Automatically send daily usage ping to Brave**
+- [ ] Uncheck **Automatically send diagnostic reports**
+- [x] Select **Always use secure connections**
+- [x] Select **Close tabs on exit**
+- [x] Select **Clear data on exit**
+
+## iOS
+
+On iOS, any app that can browse the web is [restricted](https://developer.apple.com/app-store/review/guidelines) to using an Apple-provided [WebKit framework](https://developer.apple.com/documentation/webkit), so there is little reason to use a third-party web browser.
+
+### Safari
+
+!!! recommendation
+
+    ![Safari logo](assets/img/browsers/safari.svg){ align=right }
+
+    **Safari** is the default browser in iOS. It includes [privacy features](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) such as Intelligent Tracking Protection, Privacy Report, isolated Private Browsing tabs, iCloud Private Relay, and automatic HTTPS upgrades.
+
+    [:octicons-home-16: Homepage](https://www.apple.com/safari/){ .md-button .md-button--primary }
+    [:octicons-eye-16:](https://www.apple.com/legal/privacy/data/en/safari/){ .card-link title="Privacy Policy" }
+    [:octicons-info-16:](https://support.apple.com/guide/safari/welcome/mac){ .card-link title=Documentation}
+
+#### Recommended Configuration
+
+These options can be found in :gear: **Settings** → **Safari** → **Privacy and Security**.
+
+##### Cross-Site Tracking Prevention
+
+- [x] Enable **Prevent Cross-Site Tracking**
+
+This enables WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp). The feature helps protect against unwanted tracking by using on-device machine learning to stop trackers. ITP protects against many common threats, but it does not block all tracking avenues because it is designed to not interfere with website usability.
+
+##### Privacy Report
+
+Privacy Report provides a snapshot of cross-site trackers currently prevented from profiling you on the website you're visiting. It can also display a weekly report to show which trackers have been blocked over time.
+
+Privacy Report is accessible via the Page Settings menu (:pg-textformat-size:).
+
+##### Privacy Preserving Ad Measurement
+
+- [ ] Disable **Privacy Preserving Ad Measurement**
+
+Ad click measurement has traditionally used tracking technology that infringes on user privacy. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) is a WebKit feature and proposed web standard aimed towards allowing advertisers to measure the effectiveness of web campaigns without compromising on user privacy.
+
+The feature has little privacy concerns on its own, so while you can choose to leave it on, we consider the fact that it's automatically disabled in Private Browsing to be an indicator for disabling the feature.
+
+##### Always-on Private Browsing
+
+Open Safari and tap the Tabs button, located in the bottom right. Then, expand the Tab Groups list.
+
+- [x] Select **Private**
+
+Safari's Private Browsing mode offers additional privacy protections. Private Browsing uses a new [ephemeral](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) session for each tab, meaning tabs are isolated from one another. There are also other smaller privacy benefits with Private Browsing, such as not sending a webpage’s address to Apple when using Safari's translation feature.
+
+Do note that Private Browsing does not save cookies and website data, so it won't be possible to remain signed into sites. This may be an inconvenience.
+
+##### iCloud Sync
+
+Synchronization of Safari History, Tab Groups, iCloud Tabs and saved passwords are E2EE. However, bookmarks are [not](https://support.apple.com/en-us/HT202303). Apple can decrypt and access them in accordance with their [privacy policy](https://www.apple.com/legal/privacy/en-ww/).
+
+If you use iCloud, we also recommend checking to ensure Safari's default download location is set to locally on your device. This option can be found in :gear: **Settings** → **Safari** → **General** → **Downloads**.
+
+### AdGuard
+
+!!! recommendation
+
+    ![AdGuard logo](assets/img/browsers/adguard.svg){ align=right }
+
+    **AdGuard for iOS** is a free and open-source content-blocking extension for Safari that uses the native [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker).
+
+    AdGuard for iOS has some premium features; however, standard Safari content blocking is free of charge.
+
+    [:octicons-home-16: Homepage](https://adguard.com/en/adguard-ios/overview.html){ .md-button .md-button--primary }
+    [:octicons-eye-16:](https://adguard.com/privacy/ios.html){ .card-link title="Privacy Policy" }
+    [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=Documentation}
+    [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Source Code" }
+
+    ??? downloads
+
+        - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/app/apple-store/id1047223162)
+
+Additional filter lists do slow things down and may increase your attack surface, so only apply what you need.
+
+--8<-- "includes/abbreviations.en.md"

docs/news-aggregators.en.md

@@ -31,7 +31,7 @@ A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to k
 
     ![Feeder logo](assets/img/news-aggregators/feeder.png){ align=right }
 
-    **Feeder** is a modern RSS client for Android that has many [features](https://gitlab.com/spacecowboy/Feeder#features) and works well with folders of RSS feeds. It supports it supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) and [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed).
+    **Feeder** is a modern RSS client for Android that has many [features](https://gitlab.com/spacecowboy/Feeder#features) and works well with folders of RSS feeds. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed).
 
     [:octicons-repo-16: Repository](https://gitlab.com/spacecowboy/Feeder){ .md-button .md-button--primary }
     [:octicons-code-16:](https://gitlab.com/spacecowboy/Feeder){ .card-link title="Source Code" }

docs/real-time-communication.en.md

@@ -12,7 +12,7 @@ icon: material/chat-processing
 
     **Signal** is a mobile app developed by Signal Messenger LLC. The app provides instant messaging, as well as voice and video calling.
 
-    All communications are E2EE. Contact lists are encrypted using your login PIN and the server does not have access to them. Personal profiles are also encrypted and only shared with contacts who add you.
+    All communications are E2EE. Contact lists are encrypted using your Signal PIN and the server does not have access to them. Personal profiles are also encrypted and only shared with contacts you chat with.
 
     [:octicons-home-16: Homepage](https://signal.org/){ .md-button .md-button--primary }
     [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" }
@@ -28,14 +28,24 @@ icon: material/chat-processing
         - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms)
         - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/app/id874139669)
 
-Signal has minimal metadata when [Sealed Sender](https://signal.org/blog/sealed-sender/) is enabled. The sender address is encrypted along with the message body, and only the recipient address is visible to the server.
+Signal supports [private groups](https://signal.org/blog/signal-private-group-system/). The server has no record of your group memberships, group titles, group avatars, or group attributes. Signal has minimal metadata when [Sealed Sender](https://signal.org/blog/sealed-sender/) is enabled. The sender address is encrypted along with the message body, and only the recipient address is visible to the server. Sealed Sender is only enabled for people in your contacts list, but can be enabled for all recipients with the increased risk of receiving spam. Signal requires your phone number as a personal identifier.
-
-Signal requires your phone number as a personal identifier.
-
-[Sealed Sender](https://signal.org/blog/sealed-sender/) is only enabled for people in your contacts list, but can be enabled for all recipients with the increased risk of receiving spam.
 
 The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf) in 2016. The specification for the Signal protocol can be found in their [documentation](https://signal.org/docs/).
 
+We also suggest Molly as an alternative to the official Signal app.
+
+![Molly logo](/assets/img/messengers/molly.svg){ align=right }
+
+**Molly** is a Signal fork for Android that provides additional hardening and security features to Signal.
+
+[:octicons-home-16: Homepage](https://molly.im/){ .md-button }
+[:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://github.com/mollyim/mollyim-android#readme){ .card-link title=Documentation}
+[:octicons-code-16:](https://github.com/mollyim/mollyim-android){ .card-link title="Source Code" }
+[:octicons-heart-16:](https://opencollective.com/mollyim){ .card-link title=Contribute }
+
+[Signal Configuration and Hardening :hero-arrow-circle-right-fill:](./advanced/signal-configuration-hardening.md)
+
 ### Element
 
 !!! recommendation

docs/tools.en.md

@@ -15,31 +15,31 @@ For more details about each project, why they were chosen, and additional tips o
 
 <div class="grid cards" markdown>
 
-- ![Tor Browser logo](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](browsers.md#tor-browser)
+- ![Tor Browser logo](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](desktop-browsers.md#tor-browser)
-- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox (Desktop)](browsers.md#firefox)
+- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox (Desktop)](desktop-browsers.md#firefox)
-- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave (Desktop)](browsers.md#brave)
+- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave (Desktop)](desktop-browsers.md#brave)
-- ![Bromite logo](assets/img/browsers/bromite.svg){ .twemoji } [Bromite (Android)](browsers.md#bromite)
+- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave (Android)](mobile-browsers.md#brave-android)
-- ![Safari logo](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](browsers.md#safari)
+- ![Safari logo](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](mobile-browsers.md#safari)
 
 </div>
 
-[Learn more :hero-arrow-circle-right-fill:](browsers.md)
+[Learn more :hero-arrow-circle-right-fill:](desktop-browsers.md)
 
 **Additional Resources:**
 
 <div class="grid cards annotate" markdown>
 
-- ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](browsers.md#ublock-origin)
+- ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](desktop-browsers.md#ublock-origin)
-- ![AdGuard logo](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard for iOS](browsers.md#adguard-for-ios)
+- ![AdGuard logo](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard for iOS](mobile-browsers.md#adguard-for-ios)
-- ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ .twemoji }![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ .twemoji } [Snowflake](browsers.md#snowflake) (1)
+- ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ .twemoji }![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ .twemoji } [Snowflake](desktop-browsers.md#snowflake) (1)
-- ![ToS;DR logo](assets/img/browsers/terms_of_service_didnt_read.svg){ .twemoji } [Terms of Service; Didn't Read](browsers.md#terms-of-service-didnt-read) (2)
+- ![ToS;DR logo](assets/img/browsers/terms_of_service_didnt_read.svg){ .twemoji } [Terms of Service; Didn't Read](desktop-browsers.md#terms-of-service-didnt-read) (2)
 
 </div>
 
 1. Snowflake does not increase privacy, however it allows you to easily contribute to the Tor network and help people in censored networks achieve better privacy.
 2. We do not recommend installing ToS;DR as a browser extension. The same information is provided on their website.
 
-[Learn more :hero-arrow-circle-right-fill:](browsers.md#additional-resources)
+[Learn more :hero-arrow-circle-right-fill:](desktop-browsers.md#additional-resources)
 
 ## Operating Systems
 
@@ -49,7 +49,6 @@ For more details about each project, why they were chosen, and additional tips o
 
 - ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](android.md#grapheneos)
 - ![DivestOS logo](assets/img/android/divestos.svg){ .twemoji } [DivestOS](android.md#divestos)
-- ![CalyxOS logo](assets/img/android/calyxos.svg){ .twemoji } [CalyxOS](android.md#calyxos)
 
 </div>
 
@@ -299,7 +298,6 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![Magic Wormhole logo](assets/img/file-sharing-sync/magic_wormhole.png){ .twemoji } [Magic Wormhole](file-sharing.md#magic-wormhole)
 - ![Bitwarden logo](assets/img/file-sharing-sync/bitwarden.svg){ .twemoji } [Bitwarden](file-sharing.md#bitwarden-send)
 - ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare)
 - ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox)
@@ -369,6 +367,7 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 <div class="grid cards" markdown>
 
 - ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal)
+- ![Molly logo](assets/img/messengers/molly.svg){ .twemoji } [Molly (Hardened Signal fork for Android)](/advanced/signal-configuration-hardening/#hardening-signal-with-molly-on-android)
 - ![Element logo](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element)
 - ![Session logo](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session)
 - ![Briar logo](assets/img/messengers/briar.svg){ .twemoji } [Briar (Android)](real-time-communication.md#briar)

docs/vpn.en.md

@@ -199,7 +199,7 @@ Find a no-logging VPN operator who isn’t out to sell or read your web traffic.
 
 ??? info "Additional Functionality"
 
-    Mullvad is very transparent about which nodes they [own or rent](https://mullvad.net/en/servers/). They use [ShadowSocks](https://shadowsocks.org/en/index.html) in their ShadowSocks + OpenVPN configuration, making them more resistant against firewalls with [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) trying to block VPNs. Supposedly, [China has to use a different method to block ShadowSocks servers](https://github.com/net4people/bbs/issues/22). Mullvad's website is also accessible via Tor at [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion).
+    Mullvad is very transparent about which nodes they [own or rent](https://mullvad.net/en/servers/). They use [ShadowSocks](https://shadowsocks.org/) in their ShadowSocks + OpenVPN configuration, making them more resistant against firewalls with [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) trying to block VPNs. Supposedly, [China has to use a different method to block ShadowSocks servers](https://github.com/net4people/bbs/issues/22). Mullvad's website is also accessible via Tor at [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion).
 
 ## Our Criteria
 

includes/abbreviations.en.md

@@ -16,6 +16,7 @@
 *[EEA]: European Economic Area
 *[EOL]: End-of-Life
 *[Exif]: Exchangeable image file format
+*[FCM]: Firebase Cloud Messaging
 *[FDE]: Full Disk Encryption
 *[FIDO]: Fast IDentity Online
 *[GDPR]: General Data Protection Regulation
@@ -44,6 +45,7 @@
 *[MEID]: Mobile Equipment Identifier
 *[MFA]: Multi-Factor Authentication
 *[NVMe]: Nonvolatile Memory Express
+*[NTP]: Network Time Protocol
 *[OCI]: Open Container Initiative
 *[OCSP]: Online Certificate Status Protocol
 *[OEM]: Original Equipment Manufacturer
@@ -53,6 +55,7 @@
 *[OTPs]: One-Time Passwords
 *[OpenPGP]: Open-source implementation of Pretty Good Privacy (PGP)
 *[P2P]: Peer-to-Peer
+*[PAM]: Linux Pluggable Authentication Modules
 *[PGP]: Pretty Good Privacy (see OpenPGP)
 *[PII]: Personally Identifiable Information
 *[QNAME]: Qualified Name
@@ -64,6 +67,7 @@
 *[SNI]: Server Name Indication
 *[SSD]: Solid-State Drive
 *[SSH]: Secure Shell
+*[SUID]: Set Owner User ID
 *[SaaS]: Software as a Service (cloud software)
 *[SoC]: System on Chip
 *[TCP]: Transmission Control Protocol
@@ -72,6 +76,7 @@
 *[TOTP]: Time-based One-Time Password
 *[TPM]: Trusted Platform Module
 *[U2F]: Universal 2nd Factor
+*[UEFI]: Unified Extensible Firmware Interface
 *[UDP]: User Datagram Protocol
 *[VPN]: Virtual Private Network
 *[VoIP]: Voice over IP (Internet Protocol)
@@ -80,5 +85,6 @@
 *[attack surface]: The attack surface of software or hardware is the sum of the different places an attacker can try to enter data to or extract data from.
 *[cgroups]: Control Groups
 *[fork]: In software development, a fork is created when developers take a copy of source code from one software package and start independent development on it, creating a distinct and separate piece of software.
+*[hypervisor]: A hypervisor is computer software, firmware, or hardware that allows partitioning the resource of a CPU among multiple operating systems or independent programs.
 *[rolling release]: An update release cycle in which updates are released very frequently, instead of at set intervals.
 *[walled garden]: A walled garden (or closed platform) is one in which the service provider has control over applications, content, and/or media, and restricts convenient access to non-approved applicants or content.

mkdocs.yml

@@ -168,10 +168,12 @@ nav:
     - 'Advanced':
       - 'advanced/integrating-metadata-removal.md'
       - 'advanced/erasing-data.md'
+      - 'advanced/signal-configuration-hardening.md'
   - 'Recommendations':
     - 'tools.md'
     - 'Browsers':
-      - 'browsers.md'
+      - 'desktop-browsers.md'
+      - 'mobile-browsers.md'
     - 'Operating Systems':
       - 'android.md'
       - 'linux-desktop.md'

theme/partials/logo.html

@@ -1,2 +1,2 @@
-<img src="/assets/rainbow-brand/privacy-guides-logo-notext.svg#only-light" alt="logo">
+<img src="/assets/brand/SVG/Logo/privacy-guides-logo-notext.svg#only-light" alt="logo">
-<img src="/assets/rainbow-brand/privacy-guides-logo-notext-darkbg.svg#only-dark" alt="logo">
+<img src="/assets/brand/SVG/Logo/privacy-guides-logo-notext-darkbg.svg#only-dark" alt="logo">