Split Android page into separate articles and update device recommendations (#1053)

Co-authored-by: Tad <8296104+SkewedZeppelin@users.noreply.github.com>

.github/workflows/deploy.yml

@@ -1,5 +1,6 @@
 name: Deploy Website
 on:
+  workflow_dispatch:
   release:
     types: [published]
 
@@ -36,12 +37,12 @@ jobs:
         env:
           GH_TOKEN: ${{ secrets.GH_TOKEN }}
         run: |
-          git clone --depth 1 https://${GH_TOKEN}@github.com/squidfunk/mkdocs-material-insiders.git
+          git clone --depth 1 https://${GH_TOKEN}@github.com/privacyguides/mkdocs-material-insiders.git
           pip install -e mkdocs-material-insiders
 
       - name: Build website
         run: |
-          mkdocs build --config-file mkdocs.production.yml
+          mkdocs build
           mv .well-known site/
           tar cvf site.tar site
           mkdocs --version

crowdin.yml

@@ -2,8 +2,8 @@ project_id_env: CROWDIN_PROJECT_ID
 api_token_env: CROWDIN_PERSONAL_TOKEN
 "preserve_hierarchy": true
 files:
-- source: "/docs/**/*.en.md"
-  translation: "/docs/**/%file_name%.%locale_with_underscore%.md"
+- source: "/docs/**/*.en.*"
+  translation: "/docs/**/%file_name%.%locale_with_underscore%.%file_extension%"
   translation_replace:
     "en.": ""
   update_option: update_as_unapproved

docs/android.en.md

@@ -2,12 +2,21 @@
 title: "Android"
 icon: 'fontawesome/brands/android'
 ---
-Android is a secure operating system that has strong [app sandboxing](https://source.android.com/security/app-sandbox), [Verified Boot](https://source.android.com/security/verifiedboot), and a robust [permission](https://developer.android.com/guide/topics/permissions/overview) control system.
 
-The main privacy concern with most Android devices is that they usually include [Google Play Services](https://developers.google.com/android/guides/overview). This component is proprietary, [closed source](https://en.wikipedia.org/wiki/Proprietary_software), has a privileged role on your phone, and may collect private user information. It is neither a part of the [Android Open Source Project](https://source.android.com/) (AOSP) nor is it included with the below derivatives.
+These are the Android operating systems, devices, and apps we recommend to maximize your mobile device's security and privacy. We also have additional Android-related information:
+
+- [General Android Overview and Recommendations :material-arrow-right:](android/overview.md)
+- [Android Security and Privacy Features :material-arrow-right:](android/security.md)
+- [GrapheneOS vs CalyxOS Comparison :material-arrow-right:](android/grapheneos-vs-calyxos.md)
 
 ## AOSP Derivatives
 
+Generally speaking we recommend installing one of these custom Android operating systems on your device, listed in order of preference, depending on your device's compatibility with these operating systems. If you are unable to run any of the following operating systems on your device, you are likely going to be best off sticking with your stock Android installation (as opposed to an operating system not listed here such as LineageOS), but we would recommend upgrading to a new device if at all possible.
+
+!!! note
+
+    End-of-life devices (such as GrapheneOS or CalyxOS's "extended support" devices) do not have full security patches (firmware updates) due to the original equipment manufacturer (OEM) discontinuing support. These devices cannot be considered completely secure regardless of installed software.
+
 ### GrapheneOS
 
 !!! recommendation
@@ -25,19 +34,13 @@ Notably, GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usag
 
 Currently, only [Pixel phones](https://grapheneos.org/faq#device-support) meet its hardware security requirement and are supported.
 
-!!! attention
-
-    GrapheneOS's "extended support" devices do not have full security patches (firmware updates) due to the original equipment manufacturer (OEM) discontinuing support. These devices cannot be considered completely secure.
-
 ### CalyxOS
 
 !!! recommendation
 
     ![CalyxOS logo](assets/img/android/calyxos.svg){ align=right }
 
-    **CalyxOS** is a decent alternative to GrapheneOS.
-
-    It has some privacy features on top of AOSP, including [Datura firewall](https://calyxos.org/docs/tech/datura-details), [Signal](https://signal.org) integration in the dialer app, and a built in panic button. CalyxOS also comes with firmware updates and signed builds, so [verified boot](https://source.android.com/security/verifiedboot) is fully supported.
+    **CalyxOS** is a system with some privacy features on top of AOSP, including [Datura](https://calyxos.org/docs/tech/datura-details) firewall, [Signal](https://signal.org) integration in the dialer app, and a built in panic button. CalyxOS also comes with firmware updates and signed builds, so [verified boot](https://source.android.com/security/verifiedboot) is fully supported.
 
     [Visit calyxos.org](https://calyxos.org/){ .md-button .md-button--primary } [Privacy Policy](https://calyxinstitute.org/legal/privacy-policy){ .md-button }
 
@@ -45,10 +48,6 @@ To accomodate users who need Google Play Services, CalyxOS optionally includes [
 
 Currently, CalyxOS only supports [Pixel phones](https://calyxos.org/docs/guide/device-support/).
 
-!!! attention
-
-    CalyxOS's "extended support" does not have full security patches due to the original equipment manufacturer (OEM) discontinuing support; therefore, they cannot be considered completely secure.
-
 ### DivestOS
 
 !!! recommendation
@@ -72,41 +71,74 @@ DivestOS 16.0, 17.1, and 18.1 implements GrapheneOS's [`INTERNET`](https://devel
 
     Not all of the supported devices have [verified boot](https://source.android.com/security/verifiedboot), and some perform it better than others.
 
-## Android security and privacy features
+## Android Devices
 
-### User Profiles
+Avoid buying phones from mobile network operators. These often have a **locked bootloader** and do not support [OEM unlocking](https://source.android.com/devices/bootloader/locking_unlocking). These phone variants will prevent you from installing any kind of alternative Android distribution.
 
-Multiple user profiles (Settings → System → Multiple users) are the simplest way to isolate in Android. With user profiles you can limit a user from making calls, SMS or installing apps on the device. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles is a more secure method of isolation.
+Be very **careful** about buying second hand phones from online marketplaces. Always check the reputation of the seller. If the device is stolen there's a possibility of [IMEI blacklisting](https://www.gsma.com/security/resources/imei-blacklisting/). There is also a risk involved with you being associated with the activity of the previous owner.
 
-### Work Profile
+A few more tips regarding Android devices and operating system compatibility:
 
-[Work Profiles](https://support.google.com/work/android/answer/6191949) are another way to isolate individual apps and may be more convenient than separate user profiles.
+- Do not buy devices that have reached or are near their end-of-life, additional firmware updates must be provided by the manufacturer.
+- Do not buy preloaded LineageOS or /e/ OS phones or any Android phones without proper [Verified Boot](https://source.android.com/security/verifiedboot) support and firmware updates. These devices also have no way for you to check whether they've been tampered with.
+- In short, if a device or Android distribution is not listed here, there is probably a good reason, so check our [discussions](https://github.com/privacyguides/privacyguides.org/discussions) page.
 
-A **device controller** such as [Shelter](#recommended-apps) is required, unless you're using CalyxOS which includes one.
+### Google Pixel
 
-The work profile is dependent on a device controller to function. Features such as *File Shuttle* and *contact search blocking* or any kind of isolation features must be implemented by the controller. The user must also fully trust the device controller app, as it has full access to the data inside of the work profile.
+!!! recommendation
 
-This method is generally less secure than a secondary user profile; however, it does allow you the convenience of running apps in both the work and personal profiles simultaneously.
+    ![Google Pixel 6](assets/img/android/google-pixel.png){ align=right }
 
-### Verified Boot
+    **Google Pixel** devices are known to have good security and properly support [Verified Boot](https://source.android.com/security/verifiedboot), even when installing custom operating systems.
 
-[Verified Boot](https://source.android.com/security/verifiedboot) is an important part of the Android security model. It provides protection against [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attacks, malware persistence, and ensures security updates cannot be downgraded with [rollback protection](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection).
+    Beginning with the **Pixel 6** and **6 Pro**, Pixel devices receive a minimum of 5 years of guaranteed security updates, ensuring a much longer lifespan compared to the 2-4 years competing OEMs typically offer.
 
-Android 10 and above has moved away from full-disk encryption (FDE) to more flexible [file-based encryption](https://source.android.com/security/encryption/file-based).
+    [Visit store.google.com](https://store.google.com/category/phones){ .md-button .md-button--primary }
 
-Each user's data is encrypted using their own unique encryption key, and the operating system files are left unencrypted. Verified Boot ensures the integrity of the operating system files preventing an adversary with physical access from tampering or installing malware on the device. In the unlikely case that malware is able to exploit other parts of the system and gain higher privileged access, Verified Boot will prevent and revert changes to the system partition upon reboot of the device.
+Unless you know you have a specific need for [CalyxOS/microG features](https://calyxos.org/features/) that are unavailable on GrapheneOS, we strongly recommend GrapheneOS over other operating system choices on Pixel devices.
 
-Unfortunately, original equipment manufacturers (OEMs) are only obliged to support Verified Boot on their stock Android distribution. Only a few OEMs such as Google support custom Android Verified Boot (AVB) key enrollment on their devices. Some AOSP derivatives such as LineageOS or /e/ OS do not support Verified Boot even on hardware with Verified Boot support for third party operating systems. We recommend that you check for support **before** purchasing a new device. AOSP derivatives which do not support Verified Boot are **not** recommended.
+[More about GrapheneOS vs CalyxOS](android/grapheneos-vs-calyxos.md){ .md-button }
 
-### VPN Killswitch
+The installation of GrapheneOS on a Pixel phone is easy with their [web installer](https://grapheneos.org/install/web). If you don't feel comfortable doing it yourself and are willing to spend a bit of extra money, check out the [NitroPhone](https://shop.nitrokey.com/shop) as they come preloaded with GrapheneOS from the reputable [Nitrokey](https://www.nitrokey.com/about) company.
 
-Android 7 and above supports a VPN killswitch and it is available without the need to install third party apps. This feature can prevent leaks if the VPN is disconnected. It can be found in ⚙️ Settings → Network & internet → VPN → ⚙️ → Block connections without VPN.
+A few more tips for purchasing a Google Pixel:
 
-### Global Toggles
+- If you're after a bargain on a Pixel device, we suggest buying an "**a**" model, just after the next flagship is released. Discounts are usually available because Google will be trying to clear their stock.
+- Consider price beating options and specials offered at [brick and mortar](https://en.wikipedia.org/wiki/Brick_and_mortar) stores.
+- Look at online community bargain sites in your country. These can alert you to good sales.
+- Google provides a list showing the [support cycle](https://support.google.com/nexus/answer/4457705) for each one of their devices. The price per day for a device can be calculated as: $\text{Cost} \over \text {EoL Date }-\text{ Current Date}$, meaning that the longer use of the device the lower cost per day.
 
-Modern Android devices have global toggles for disabling [Bluetooth](https://en.wikipedia.org/wiki/Bluetooth) and location services. Android 12 introduced toggles for the camera and microphone. When not in use, we recommend disabling these features. Apps cannot use disabled features (even if granted individual permission) until re-enabled.
+### Other Devices
 
-## Recommended Apps
+!!! important
+
+    Google Pixel phones are the only devices which are fully supported by all of our recommended Android distributions. Additionally, Pixel devices have stronger hardware security than any other Android device currently on the market, due to Google's custom Titan security chips acting as the Secure Element for secrets storage and rate limiting. Secure Elements are more limited and have a smaller attack surface than the Trusted Execution Environment (TEE), which is also used to run "trusted" programs. Most other phones do not have a Secure Element and have to using the TEE for both secrets storage, rate limiting, and trusted computing."
+
+If you are unable to purchase a Pixel device, any device which is supported by CalyxOS should be reasonably secure and private enough for most users after installing CalyxOS.
+
+In any case, when purchasing a device we recommend getting one as new as possible. The software and firmware of mobile devices are only supported for a limited time, so buying new extends that lifespan as much as possible. 
+
+We do not recommend the following devices over a Google Pixel device, but we do have some notes on devices from other manufacturers:
+
+#### OnePlus
+
+If you are unable to obtain a Google Pixel, recent OnePlus devices provide a good balance of security with custom operating systems and longevity, with OnePlus 8 and later devices receiving 4 years of security updates. CalyxOS has [experimental support](https://calyxos.org/news/2022/04/01/fairphone4-oneplus8t-oneplus9-test-builds/) for the **OnePlus 8T** and **9**.
+
+DivestOS has support for most OnePlus devices up to the **OnePlus 7T Pro**, with varying levels of support.
+
+#### Fairphone
+
+!!! danger
+
+    Out of the box, Fairphone devices are incredibly insecure. [Fairphone's stock bootloader trusts the public AVB signing key](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11), meaning any system can be installed and the phone will trust it as if it is the stock system. This essentially breaks verified boot on a stock Fairphone device.
+
+    This problem is solved when you install a custom operating system such as CalyxOS or DivestOS and trust the developer's signing keys rather than the stock system's. To reiterate, **you must install a custom operating system with custom boot keys to use Fairphone devices in a secure manner.**
+
+CalyxOS has [experimental support](https://calyxos.org/news/2022/04/01/fairphone4-oneplus8t-oneplus9-test-builds/) for the **Fairphone 4**. DivestOS has builds available for the **Fairphone 3**.
+
+While Fairphone markets their devices as receiving 6 years of support, the SOC (Qualcomm Snapdragon 750G on the Fairphone 4) has a considerably sooner EOL date. This means that firmware security updates from Qualcomm for the Fairphone 4 will end in September 2023, regardless of whether Fairphone continues to release software security updates.
+
+## General Apps
 
 ### Orbot
 
@@ -251,96 +283,7 @@ Main privacy features include:
 
     You should **never** use blur to redact [text in images](https://bishopfox.com/blog/unredacter-tool-never-pixelation). If you want to redact text in an image, draw a box over the text. For this we suggest [Pocket Paint](https://github.com/Catrobat/Paintroid) or [Imagepipe](https://codeberg.org/Starfish/Imagepipe).
 
-## General Recommendations
-
-### Avoid Root
-
-[Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) Android phones can decrease security significantly as it weakens the complete [Android security model](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful [Verified Boot](https://source.android.com/security/verifiedboot). Apps that require root will also modify the system partition meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the [attack surface](https://en.wikipedia.org/wiki/Attack_surface) of your device and may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) vulnerabilities and [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux) policy bypasses.
-
-Adblockers (AdAway) which modify the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For Adblocking we suggest encrypted [DNS](dns.md) or [VPN](vpn.md) server blocking solutions instead. RethinkDNS, TrackerControl and AdAway in non-root mode will take up the VPN slot (by using a local loopback VPN) preventing you from using privacy enhancing services such as Orbot or a real VPN server.
-
-AFWall+ works based on the [packet filtering](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) approach and may be bypassable in some situations.
-
-We do not believe that the security sacrifices made by rooting a phone are worth the questionable privacy benefits of those apps.
-
-### Firmware Updates
-
-Firmware updates are critical for maintaining security and without them your device cannot be secure. Original equipment manufacturers (OEMs)—in other words, phone manufacturers—have support agreements with their partners to provide the closed source components for a limited support period. These are detailed in the monthly [Android Security Bulletins](https://source.android.com/security/bulletin).
-
-As the components of the phone such as the processor and radio technologies rely on closed source components, the updates must be provided by the respective manufacturers. Therefore it is important that you purchase a device within an active support cycle. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) and [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) support their devices for 4 years while cheaper products often have shorter support. With the introduction of the [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google now makes their own system on chip (SoC) and they will provide 5 years of support.
-
-Devices that have reached their end-of-life (EoL) and are no longer supported by the SoC manufacturer, cannot receive firmware updates from OEM vendors or after market Android distributors. This means that security issues with those devices will remain unfixed.
-
-### Android Versions
-
-It's important to not use an [end-of-life](https://endoflife.date/android) version of Android. Newer versions of Android not only receive security updates for the operating system but also important privacy enhancing updates too. For example, [prior to Android 10](https://developer.android.com/about/versions/10/privacy/changes), any user apps with the [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) permission could access sensitive and unique serial numbers of your phone such as [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), your SIM card's [IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity), whereas now they must be system apps to do so. System apps are only provided by the OEM or Android distribution.
-
-### Android Permissions
-
-[Permissions on Android](https://developer.android.com/guide/topics/permissions/overview) grant users control over what apps are allowed to access. Google regularly makes [improvements](https://developer.android.com/about/versions/11/privacy/permissions) on the permission system in each successive version. All user installed apps are strictly [sandboxed](https://source.android.com/security/app-sandbox), therefore there is no need to install any antivirus apps. The savings you make from not purchasing or subscribing to security apps is better spent on paying for a supported device in the future.
-
-Should you want to run an app that you're unsure about, consider using a user or work [profile](android/#android-security-privacy).
-
-### Advanced Protection Program
-
-If you have a Google account we suggest enrolling in the [Advanced Protection Program](https://landing.google.com/advancedprotection/). It is available at no cost to anyone with two or more hardware security keys with [U2F](https://en.wikipedia.org/wiki/Universal_2nd_Factor) support.
-
-The Advanced Protection Program provides enhanced threat monitoring and enables:
-
-- Stricter two factor authentication; e.g. that [U2F](https://en.wikipedia.org/wiki/Universal_2nd_Factor) or [FIDO2](https://en.wikipedia.org/wiki/WebAuthn) **must** be used and disallows the use of [SMS OTPs](https://en.wikipedia.org/wiki/One-time_password#SMS), [TOTP](https://en.wikipedia.org/wiki/Time-based_one-time_password), and [OAuth](https://en.wikipedia.org/wiki/OAuth)
-- Only Google and verified third party apps can access account data
-- Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts
-- Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome
-- Stricter recovery process for accounts with lost credentials
-
- For users that are using the privileged Google Play Services (common on stock operating systems), the Advanced Protection Program also comes with [additional benefits](https://support.google.com/accounts/answer/9764949?hl=en) such as:
-
-- Not allowing app installation outside of the Google Play Store, the OS vendor's app store, or via [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge)
-- Mandatory automatic device scanning with [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work)
-- Warning the user about unverified applications
-
-### SafetyNet and Play Integrity API
-
-[SafetyNet](https://developer.android.com/training/safetynet/attestation) and the [Play Integrity APIs](https://developer.android.com/google/play/integrity) are generally used for [banking apps](https://grapheneos.org/usage#banking-apps). Many banking apps will work fine in GrapheneOS with sandboxed Play services, however some non-financal apps have their own crude anti-tampering mechanisms which might fail. GrapheneOS passes the `basicIntegrity` check, but not the certification check `ctsProfileMatch`. Devices with Android 8 or later have hardware attestation support which cannot be bypassed without leaked keys or serious vulnerabilities.
-
-As for Google Wallet, we don't recommend this due to their [privacy policy](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), which states you must opt-out if you don't want your credit rating and personal information shared with affiliate marketing services.
-
-### Advertising ID
-
-All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) used for targeted advertising. Disable this feature to limit the data collected about you.
-
-On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to ⚙️ Settings → Apps → Sandboxed Google Play → Google Settings → Ads and select **Delete advertising ID**.
-
-On Android distributions with privileged Google Play Services (such as stock OSes), the setting may be in one of several locations. Check
-
-- ⚙️ Settings → Google → Ads
-- ⚙️ Settings → Privacy → Ads
-
-Depending on your system, you will either be given the option to delete your advertising ID or to "Opt out of interest-based ads". You should delete the advertising ID if you are given the option to, and if you are not, we recommend that you opt out of interested-based ads and then reset your advertising ID.
-
-### Android Device Shopping
-
-Google Pixels are known to have good security and properly support [Verified Boot](https://source.android.com/security/verifiedboot). Some other phones such as the Fairphone and OnePlus devices also support custom Android Verified Boot (AVB) key enrollment. However, there have been issues with their older models. In the past they were using [test keys](https://social.coop/@dazinism/105346943304083054) or not doing proper verification, making Verified Boot on those devices useless.
-
-Avoid buying phones from mobile network operators. These often have a **locked bootloader** and do not support [OEM unlocking](https://source.android.com/devices/bootloader/locking_unlocking). These phone variants will prevent you from installing any kind of alternative Android distribution. Phones that cannot be unlocked will often have an [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity) starting with "35", that includes phones from purchased from Verizon, Telus, Rogers, EE, etc.
-
-Be very **careful** about buying second hand phones from online marketplaces. Always check the reputation of the seller. If the device is stolen there's a possibility of [IMEI blacklisting](https://www.gsma.com/security/resources/imei-blacklisting/). There is also a risk involved with you being associated with the activity of the previous owner.
-
-We have these general tips:
-
-- If you're after a bargain on a Pixel device, we suggest buying an "**a**" model, just after the next flagship is released. Discounts are usually available because Google will be trying to clear their stock.
-- Consider price beating options and specials offered at [brick and mortar](https://en.wikipedia.org/wiki/Brick_and_mortar) stores.
-- Look at online community bargain sites in your country. These can alert you to good sales.
-- Google provides a list showing the [support cycle](https://support.google.com/nexus/answer/4457705) for each one of their devices. The price per day for a device can be calculated as: $\text{Cost} \over \text {EoL Date }-\text{ Current Date}$, meaning that the longer use of the device the lower cost per day.
-- Do not buy devices that have reached or are near their end-of-life, additional firmware updates must be provided by the manufacturer.
-- Do not buy preloaded LineageOS or /e/ OS phones or any Android phones without proper [Verified Boot](https://source.android.com/security/verifiedboot) support and firmware updates. These devices also have no way for you to check whether they've been tampered with.
-- In short, if a device or Android distribution is not listed here, there is probably a good reason, so check our [discussions](https://github.com/privacyguides/privacyguides.org/discussions) page.
-
-The installation of GrapheneOS on a Pixel phone is easy with their [web installer](https://grapheneos.org/install/web). If you don't feel comfortable doing it yourself and are willing to spend a bit of extra money, check out the [NitroPhone](https://shop.nitrokey.com/shop) as they come preloaded with GrapheneOS from the reputable [Nitrokey](https://www.nitrokey.com/about) company. The GrapheneOS project is not currently affiliated with any vendor and cannot ensure the quality or security of their products.
-
-A [CalyxOS membership](https://calyxinstitute.org/membership/calyxos) also entitles you to a device preloaded with CalyxOS.
-
-## Where to get your applications
+## App Stores
 
 ### GrapheneOS's App Store
 
@@ -381,40 +324,3 @@ To mitigate these problems, we recommend [Droid-ify](https://github.com/Iamlooke
     **Downloads:**
     - [:fontawesome-brands-android: APK Download](https://android.izzysoft.de/repo/apk/com.looker.droidify)
     - [:fontawesome-brands-github: GitHub](https://github.com/Iamlooker/Droid-ify)
-
-## Security comparison of GrapheneOS and CalyxOS
-
-### Profiles
-
-CalyxOS includes a device controller app so there is no need to install a third party app like [Shelter](#recommended-apps). GrapheneOS plans to introduce nested profile support with better isolation in the future.
-
-GrapheneOS extends the [user profile](#android-security-privacy) feature allowing a user to press an "End Session" button. This button clears the encryption key from memory. There are plans to add a [cross profile notifications system](https://github.com/GrapheneOS/os-issue-tracker/issues/88) in the future.
-
-### Sandboxed Google Play vs Privileged MicroG
-
-When Google Play services are used on GrapheneOS, they run as a user app and are contained within a user or work profile.
-
-Sandboxed Google Play is confined using the highly restrictive, default [`untrusted_app`](https://source.android.com/security/selinux/concepts) domain provided by [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux). Permissions for apps to use Google Play Services can be revoked at any time by the user.
-
-MicroG is a reimplementation of Google Play Services. This means it needs to be updated every time Android has a major version update (or the Android API changes). It also needs to run in the highly privileged [`system_app`](https://source.android.com/security/selinux/concepts) SELinux domain like normal Google Play Services and requires access to [signature spoofing](https://madaidans-insecurities.github.io/android.html#microg-signature-spoofing) so this is less secure than the Sandboxed Google Play approach. We do not believe MicroG provides any privacy advantages over Sandboxed Google Play except for the option to *shift trust* of the location backend from Google to another provider such as Mozilla or DejaVu.
-
-From a usability point of view, Sandboxed Google Play also works well with far more applications than MicroG, thanks to its support for services like [Google Play Games](https://play.google.com/googleplaygames) and [In-app Billing API](https://android-doc.github.io/google/play/billing/api.html).
-
-### Privileged App Extensions
-
-Android 12 comes with special support for seamless app updates with [third party app stores](https://android-developers.googleblog.com/2020/09/listening-to-developer-feedback-to.html). The popular Free and Open Source Software (FOSS) repository [F-Droid](https://f-droid.org) doesn't implement this feature and requires a [privileged extension](https://f-droid.org/en/packages/org.fdroid.fdroid.privileged) to be included with the Android distribution in order to have unattended app installation.
-
-GrapheneOS doesn't compromise on security; therefore, they do not include the F-Droid extension. Users have to confirm all updates manually if they want to use F-Droid. Alternatively, they can use the Droid-ify client which does support seamless app updates in Android 12. GrapheneOS officially recommends [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play) instead. Many FOSS Android apps are also in Google Play but sometimes they are not (like [NewPipe](video-streaming.md)).
-
-CalyxOS includes the [privileged extension](https://f-droid.org/en/packages/org.fdroid.fdroid.privileged), which may lower device security. Seamless app updates should be possible with [Aurora Store](https://auroraoss.com) in Android 12.
-
-### Additional hardening
-
-GrapheneOS improves upon [AOSP](https://source.android.com/) security with:
-
-- **Hardened WebView:** Vanadium WebView requires [64-bit](https://en.wikipedia.org/wiki/64-bit_computing) processes on the [WebView](https://developer.android.com/reference/android/webkit/WebView) process and disables legacy [32-bit](https://en.wikipedia.org/wiki/32-bit_computing) processes. It uses hardened compiler options such as [`-fwrapv`](https://gcc.gnu.org/onlinedocs/gcc/Code-Gen-Options.html) and [`-fstack-protector-strong`](https://gcc.gnu.org/onlinedocs/gcc-4.9.3/gcc/Optimize-Options.html), which can help protect against [stack buffer overflows](https://en.wikipedia.org/wiki/Stack_buffer_overflow). [API](https://en.wikipedia.org/wiki/API)s such as the [battery status API](https://chromestatus.com/feature/4537134732017664) are disabled for privacy reasons. All system apps on GrapheneOS use the Vanadium WebView which means user installed apps that use WebView will also benefit from Vanadium's hardening. The [Vanadium patch set](https://github.com/GrapheneOS/Vanadium/tree/12/patches) is a lot more comprehensive than CalyxOS's [Chromium patch set](https://gitlab.com/CalyxOS/chromium-patches) which is derived from it.
-- **Hardened Kernel:** GrapheneOS kernel includes some hardening from the [linux-hardened](https://github.com/GrapheneOS/linux-hardened) project and the [Kernel Self Protection Project (KSPP)](https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project). CalyxOS uses the [same kernel](https://calyxos.org/docs/development/build/kernel/) as regular Android with some minor modifications.
-- **Hardened Memory Allocator:** GrapheneOS uses the [hardened malloc](https://github.com/GrapheneOS/hardened_malloc) subproject as its memory allocator. This focuses on hardening against [memory heap corruption](https://en.wikipedia.org/wiki/Memory_corruption). CalyxOS uses the default AOSP [Scudo Malloc](https://source.android.com/devices/tech/debug/scudo), which is generally [less effective](https://twitter.com/danielmicay/status/1033671709197398016). Hardened Malloc has uncovered vulnerabilities in AOSP which have been [fixed](https://github.com/GrapheneOS/platform_system_core/commit/be11b59725aa6118b0e1f0712572e835c3d50746) by GrapheneOS such as [CVE-2021-0703](https://nvd.nist.gov/vuln/detail/CVE-2021-0703).
-- **Secure Exec Spawning:** GrapheneOS [spawns](https://en.wikipedia.org/wiki/Spawn_(computing)) fresh processes as opposed to using the [Zygote model](https://ayusch.com/android-internals-the-android-os-boot-process) used by AOSP and CalyxOS. The Zygote model weakens [Address Space Layout Randomization](https://en.wikipedia.org/wiki/Address_space_layout_randomization) (ASLR) and is considered [less secure](https://wenke.gtisc.gatech.edu/papers/morula.pdf). Creating [fresh processes](https://grapheneos.org/usage#exec-spawning) is safer but will have some performance penalty when launching a new application. These penalties are not really noticeable unless you have an [old device](https://support.google.com/nexus/answer/4457705) with slow storage such as the Pixel 3a/3a XL as it has [eMMC](https://en.wikipedia.org/wiki/MultiMediaCard#eMMC).
-
-**Please note that these are just a few examples and are not an extensive list of GrapheneOS's hardening**. For a more complete list, please read GrapheneOS' [official documentation](https://grapheneos.org/features).

docs/android/grapheneos-vs-calyxos.md

@@ -0,0 +1,38 @@
+---
+title: "GrapheneOS vs CalyxOS"
+icon: 'material/cellphone-cog'
+---
+## Profiles
+
+CalyxOS includes a device controller app so there is no need to install a third party app like Shelter.
+
+GrapheneOS extends the user profile feature allowing a user to press an "End Session" button. This button clears the encryption key from memory. There are plans to add a [cross profile notifications system](https://github.com/GrapheneOS/os-issue-tracker/issues/88) in the future. GrapheneOS plans to introduce nested profile support with better isolation in the future.
+
+## Sandboxed Google Play vs Privileged MicroG
+
+When Google Play services are used on GrapheneOS, they run as a user app and are contained within a user or work profile.
+
+Sandboxed Google Play is confined using the highly restrictive, default [`untrusted_app`](https://source.android.com/security/selinux/concepts) domain provided by [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux). Permissions for apps to use Google Play Services can be revoked at any time by the user.
+
+MicroG is a reimplementation of Google Play Services. This means it needs to be updated every time Android has a major version update (or the Android API changes). It also needs to run in the highly privileged [`system_app`](https://source.android.com/security/selinux/concepts) SELinux domain like normal Google Play Services and requires access to [signature spoofing](https://madaidans-insecurities.github.io/android.html#microg-signature-spoofing) so this is less secure than the Sandboxed Google Play approach. We do not believe MicroG provides any privacy advantages over Sandboxed Google Play except for the option to *shift trust* of the location backend from Google to another provider such as Mozilla or DejaVu.
+
+From a usability point of view, Sandboxed Google Play also works well with far more applications than MicroG, thanks to its support for services like [Google Play Games](https://play.google.com/googleplaygames) and [In-app Billing API](https://android-doc.github.io/google/play/billing/api.html).
+
+## Privileged App Extensions
+
+Android 12 comes with special support for seamless app updates with [third party app stores](https://android-developers.googleblog.com/2020/09/listening-to-developer-feedback-to.html). The popular Free and Open Source Software (FOSS) repository [F-Droid](https://f-droid.org) doesn't implement this feature and requires a [privileged extension](https://f-droid.org/en/packages/org.fdroid.fdroid.privileged) to be included with the Android distribution in order to have unattended app installation.
+
+GrapheneOS doesn't compromise on security; therefore, they do not include the F-Droid extension. Users have to confirm all updates manually if they want to use F-Droid. Alternatively, they can use the Droid-ify client which does support seamless app updates in Android 12. GrapheneOS officially recommends [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play) instead. Many FOSS Android apps are also in Google Play but sometimes they are not (like [NewPipe](../video-streaming.md)).
+
+CalyxOS includes the [privileged extension](https://f-droid.org/en/packages/org.fdroid.fdroid.privileged), which may lower device security. Seamless app updates should be possible with [Aurora Store](https://auroraoss.com) in Android 12.
+
+## Additional hardening
+
+GrapheneOS improves upon [AOSP](https://source.android.com/) security with:
+
+- **Hardened WebView:** Vanadium WebView requires [64-bit](https://en.wikipedia.org/wiki/64-bit_computing) processes on the [WebView](https://developer.android.com/reference/android/webkit/WebView) process and disables legacy [32-bit](https://en.wikipedia.org/wiki/32-bit_computing) processes. It uses hardened compiler options such as [`-fwrapv`](https://gcc.gnu.org/onlinedocs/gcc/Code-Gen-Options.html) and [`-fstack-protector-strong`](https://gcc.gnu.org/onlinedocs/gcc-4.9.3/gcc/Optimize-Options.html), which can help protect against [stack buffer overflows](https://en.wikipedia.org/wiki/Stack_buffer_overflow). [API](https://en.wikipedia.org/wiki/API)s such as the [battery status API](https://chromestatus.com/feature/4537134732017664) are disabled for privacy reasons. All system apps on GrapheneOS use the Vanadium WebView which means user installed apps that use WebView will also benefit from Vanadium's hardening. The [Vanadium patch set](https://github.com/GrapheneOS/Vanadium/tree/12/patches) is a lot more comprehensive than CalyxOS's [Chromium patch set](https://gitlab.com/CalyxOS/chromium-patches) which is derived from it.
+- **Hardened Kernel:** GrapheneOS kernel includes some hardening from the [linux-hardened](https://github.com/GrapheneOS/linux-hardened) project and the [Kernel Self Protection Project (KSPP)](https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project). CalyxOS uses the [same kernel](https://calyxos.org/docs/development/build/kernel/) as regular Android with some minor modifications.
+- **Hardened Memory Allocator:** GrapheneOS uses the [hardened malloc](https://github.com/GrapheneOS/hardened_malloc) subproject as its memory allocator. This focuses on hardening against [memory heap corruption](https://en.wikipedia.org/wiki/Memory_corruption). CalyxOS uses the default AOSP [Scudo Malloc](https://source.android.com/devices/tech/debug/scudo), which is generally [less effective](https://twitter.com/danielmicay/status/1033671709197398016). Hardened Malloc has uncovered vulnerabilities in AOSP which have been [fixed](https://github.com/GrapheneOS/platform_system_core/commit/be11b59725aa6118b0e1f0712572e835c3d50746) by GrapheneOS such as [CVE-2021-0703](https://nvd.nist.gov/vuln/detail/CVE-2021-0703).
+- **Secure Exec Spawning:** GrapheneOS [spawns](https://en.wikipedia.org/wiki/Spawn_(computing)) fresh processes as opposed to using the [Zygote model](https://ayusch.com/android-internals-the-android-os-boot-process) used by AOSP and CalyxOS. The Zygote model weakens [Address Space Layout Randomization](https://en.wikipedia.org/wiki/Address_space_layout_randomization) (ASLR) and is considered [less secure](https://wenke.gtisc.gatech.edu/papers/morula.pdf). Creating [fresh processes](https://grapheneos.org/usage#exec-spawning) is safer but will have some performance penalty when launching a new application. These penalties are not really noticeable unless you have an [old device](https://support.google.com/nexus/answer/4457705) with slow storage such as the Pixel 3a/3a XL as it has [eMMC](https://en.wikipedia.org/wiki/MultiMediaCard#eMMC).
+
+**Please note that these are just a few examples and are not an extensive list of GrapheneOS's hardening**. For a more complete list, please read GrapheneOS' [official documentation](https://grapheneos.org/features).

docs/android/overview.md

@@ -0,0 +1,72 @@
+---
+title: Android Overview
+icon: material/cellphone-check
+---
+Android is a secure operating system that has strong [app sandboxing](https://source.android.com/security/app-sandbox), [Verified Boot](https://source.android.com/security/verifiedboot), and a robust [permission](https://developer.android.com/guide/topics/permissions/overview) control system.
+
+The main privacy concern with most Android devices is that they usually include [Google Play Services](https://developers.google.com/android/guides/overview). This component is proprietary, [closed source](https://en.wikipedia.org/wiki/Proprietary_software), has a privileged role on your phone, and may collect private user information. It is neither a part of the [Android Open Source Project](https://source.android.com/) (AOSP) nor is it included with the below derivatives.
+
+## Avoid Root
+
+[Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) Android phones can decrease security significantly as it weakens the complete [Android security model](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful [Verified Boot](https://source.android.com/security/verifiedboot). Apps that require root will also modify the system partition meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the [attack surface](https://en.wikipedia.org/wiki/Attack_surface) of your device and may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) vulnerabilities and [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux) policy bypasses.
+
+Adblockers (AdAway) which modify the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For Adblocking we suggest encrypted [DNS](../dns.md) or [VPN](../vpn.md) server blocking solutions instead. RethinkDNS, TrackerControl and AdAway in non-root mode will take up the VPN slot (by using a local loopback VPN) preventing you from using privacy enhancing services such as Orbot or a real VPN server.
+
+AFWall+ works based on the [packet filtering](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) approach and may be bypassable in some situations.
+
+We do not believe that the security sacrifices made by rooting a phone are worth the questionable privacy benefits of those apps.
+
+## Firmware Updates
+
+Firmware updates are critical for maintaining security and without them your device cannot be secure. Original equipment manufacturers (OEMs)—in other words, phone manufacturers—have support agreements with their partners to provide the closed source components for a limited support period. These are detailed in the monthly [Android Security Bulletins](https://source.android.com/security/bulletin).
+
+As the components of the phone such as the processor and radio technologies rely on closed source components, the updates must be provided by the respective manufacturers. Therefore it is important that you purchase a device within an active support cycle. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) and [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) support their devices for 4 years while cheaper products often have shorter support. With the introduction of the [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google now makes their own system on chip (SoC) and they will provide 5 years of support.
+
+Devices that have reached their end-of-life (EoL) and are no longer supported by the SoC manufacturer, cannot receive firmware updates from OEM vendors or after market Android distributors. This means that security issues with those devices will remain unfixed.
+
+## Android Versions
+
+It's important to not use an [end-of-life](https://endoflife.date/android) version of Android. Newer versions of Android not only receive security updates for the operating system but also important privacy enhancing updates too. For example, [prior to Android 10](https://developer.android.com/about/versions/10/privacy/changes), any user apps with the [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) permission could access sensitive and unique serial numbers of your phone such as [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), your SIM card's [IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity), whereas now they must be system apps to do so. System apps are only provided by the OEM or Android distribution.
+
+## Android Permissions
+
+[Permissions on Android](https://developer.android.com/guide/topics/permissions/overview) grant users control over what apps are allowed to access. Google regularly makes [improvements](https://developer.android.com/about/versions/11/privacy/permissions) on the permission system in each successive version. All user installed apps are strictly [sandboxed](https://source.android.com/security/app-sandbox), therefore there is no need to install any antivirus apps. The savings you make from not purchasing or subscribing to security apps is better spent on paying for a supported device in the future.
+
+Should you want to run an app that you're unsure about, consider using a user or work [profile](android/#android-security-privacy).
+
+## Advanced Protection Program
+
+If you have a Google account we suggest enrolling in the [Advanced Protection Program](https://landing.google.com/advancedprotection/). It is available at no cost to anyone with two or more hardware security keys with [FIDO](/security/multi-factor-authentication.md#fido-fast-identity-online) support.
+
+The Advanced Protection Program provides enhanced threat monitoring and enables:
+
+- Stricter two factor authentication; e.g. that [FIDO](/security/multi-factor-authentication/#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](/security/multi-factor-authentication/#sms-or-email-mfa), [TOTP](/security/multi-factor-authentication.md#time-based-one-time-password-totp), and [OAuth](https://en.wikipedia.org/wiki/OAuth)
+- Only Google and verified third party apps can access account data
+- Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts
+- Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome
+- Stricter recovery process for accounts with lost credentials
+
+ For users that are using the privileged Google Play Services (common on stock operating systems), the Advanced Protection Program also comes with [additional benefits](https://support.google.com/accounts/answer/9764949?hl=en) such as:
+
+- Not allowing app installation outside of the Google Play Store, the OS vendor's app store, or via [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge)
+- Mandatory automatic device scanning with [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work)
+- Warning the user about unverified applications
+
+## SafetyNet and Play Integrity API
+
+[SafetyNet](https://developer.android.com/training/safetynet/attestation) and the [Play Integrity APIs](https://developer.android.com/google/play/integrity) are generally used for [banking apps](https://grapheneos.org/usage#banking-apps). Many banking apps will work fine in GrapheneOS with sandboxed Play services, however some non-financal apps have their own crude anti-tampering mechanisms which might fail. GrapheneOS passes the `basicIntegrity` check, but not the certification check `ctsProfileMatch`. Devices with Android 8 or later have hardware attestation support which cannot be bypassed without leaked keys or serious vulnerabilities.
+
+As for Google Wallet, we don't recommend this due to their [privacy policy](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), which states you must opt-out if you don't want your credit rating and personal information shared with affiliate marketing services.
+
+## Advertising ID
+
+All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) used for targeted advertising. Disable this feature to limit the data collected about you.
+
+On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to ⚙️ Settings → Apps → Sandboxed Google Play → Google Settings → Ads and select **Delete advertising ID**.
+
+On Android distributions with privileged Google Play Services (such as stock OSes), the setting may be in one of several locations. Check
+
+- ⚙️ Settings → Google → Ads
+- ⚙️ Settings → Privacy → Ads
+
+Depending on your system, you will either be given the option to delete your advertising ID or to "Opt out of interest-based ads". You should delete the advertising ID if you are given the option to, and if you are not, we recommend that you opt out of interested-based ads and then reset your advertising ID.

docs/android/security.md

@@ -0,0 +1,36 @@
+---
+title: "Android Security and Privacy Features"
+icon: 'material/cellphone-lock'
+---
+
+## User Profiles
+
+Multiple user profiles (Settings → System → Multiple users) are the simplest way to isolate in Android. With user profiles you can limit a user from making calls, SMS or installing apps on the device. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles is a more secure method of isolation.
+
+## Work Profile
+
+[Work Profiles](https://support.google.com/work/android/answer/6191949) are another way to isolate individual apps and may be more convenient than separate user profiles.
+
+A **device controller** such as [Shelter](#recommended-apps) is required, unless you're using CalyxOS which includes one.
+
+The work profile is dependent on a device controller to function. Features such as *File Shuttle* and *contact search blocking* or any kind of isolation features must be implemented by the controller. The user must also fully trust the device controller app, as it has full access to the data inside of the work profile.
+
+This method is generally less secure than a secondary user profile; however, it does allow you the convenience of running apps in both the work and personal profiles simultaneously.
+
+## Verified Boot
+
+[Verified Boot](https://source.android.com/security/verifiedboot) is an important part of the Android security model. It provides protection against [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attacks, malware persistence, and ensures security updates cannot be downgraded with [rollback protection](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection).
+
+Android 10 and above has moved away from full-disk encryption (FDE) to more flexible [file-based encryption](https://source.android.com/security/encryption/file-based).
+
+Each user's data is encrypted using their own unique encryption key, and the operating system files are left unencrypted. Verified Boot ensures the integrity of the operating system files preventing an adversary with physical access from tampering or installing malware on the device. In the unlikely case that malware is able to exploit other parts of the system and gain higher privileged access, Verified Boot will prevent and revert changes to the system partition upon reboot of the device.
+
+Unfortunately, original equipment manufacturers (OEMs) are only obliged to support Verified Boot on their stock Android distribution. Only a few OEMs such as Google support custom Android Verified Boot (AVB) key enrollment on their devices. Some AOSP derivatives such as LineageOS or /e/ OS do not support Verified Boot even on hardware with Verified Boot support for third party operating systems. We recommend that you check for support **before** purchasing a new device. AOSP derivatives which do not support Verified Boot are **not** recommended.
+
+## VPN Killswitch
+
+Android 7 and above supports a VPN killswitch and it is available without the need to install third party apps. This feature can prevent leaks if the VPN is disconnected. It can be found in ⚙️ Settings → Network & internet → VPN → ⚙️ → Block connections without VPN.
+
+## Global Toggles
+
+Modern Android devices have global toggles for disabling [Bluetooth](https://en.wikipedia.org/wiki/Bluetooth) and location services. Android 12 introduced toggles for the camera and microphone. When not in use, we recommend disabling these features. Apps cannot use disabled features (even if granted individual permission) until re-enabled.

docs/assets/img/dns/dns-dark.svg

@@ -1,166 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
- "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
-<!-- Generated by graphviz version 2.48.0 (0)
- -->
-<!-- Title: DNS Pages: 1 -->
-<svg width="630pt" height="935pt"
- viewBox="0.00 0.00 630.00 935.00" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
-<g id="graph0" class="graph" transform="scale(1 1) rotate(0) translate(36 899)">
-<title>DNS</title>
-<!-- Start -->
-<g id="node1" class="node">
-<title>Start</title>
-<path fill="#d4bbd2" stroke="#d4bbd2" d="M89,-863C89,-863 55,-863 55,-863 49,-863 43,-857 43,-851 43,-851 43,-839 43,-839 43,-833 49,-827 55,-827 55,-827 89,-827 89,-827 95,-827 101,-833 101,-839 101,-839 101,-851 101,-851 101,-857 95,-863 89,-863"/>
-<text text-anchor="middle" x="72" y="-841.3" font-family="monospace" font-size="14.00">Start</text>
-</g>
-<!-- anonymous -->
-<g id="node3" class="node">
-<title>anonymous</title>
-<polygon fill="#ffebc2" stroke="#ffebc2" points="72,-791 0,-733.5 72,-676 144,-733.5 72,-791"/>
-<text text-anchor="middle" x="72" y="-737.3" font-family="monospace" font-size="14.00">Trying to be</text>
-<text text-anchor="middle" x="72" y="-722.3" font-family="monospace" font-size="14.00"> anonymous?</text>
-</g>
-<!-- Start&#45;&gt;anonymous -->
-<g id="edge1" class="edge">
-<title>Start&#45;&gt;anonymous</title>
-<path fill="none" stroke="white" d="M72,-826.59C72,-826.59 72,-801.45 72,-801.45"/>
-<polygon fill="white" stroke="white" points="72,-791.45 76.5,-801.45 72,-796.45 72,-801.45 72,-801.45 72,-801.45 72,-796.45 67.5,-801.45 72,-791.45 72,-791.45"/>
-</g>
-<!-- nothing -->
-<g id="node2" class="node">
-<title>nothing</title>
-<path fill="#d4bbd2" stroke="#d4bbd2" d="M249.5,-36C249.5,-36 174.5,-36 174.5,-36 168.5,-36 162.5,-30 162.5,-24 162.5,-24 162.5,-12 162.5,-12 162.5,-6 168.5,0 174.5,0 174.5,0 249.5,0 249.5,0 255.5,0 261.5,-6 261.5,-12 261.5,-12 261.5,-24 261.5,-24 261.5,-30 255.5,-36 249.5,-36"/>
-<text text-anchor="middle" x="212" y="-14.3" font-family="monospace" font-size="14.00">Do nothing</text>
-</g>
-<!-- censorship -->
-<g id="node4" class="node">
-<title>censorship</title>
-<polygon fill="#ffebc2" stroke="#ffebc2" points="72,-640 0,-582.5 72,-525 144,-582.5 72,-640"/>
-<text text-anchor="middle" x="72" y="-586.3" font-family="monospace" font-size="14.00">Avoiding</text>
-<text text-anchor="middle" x="72" y="-571.3" font-family="monospace" font-size="14.00"> censorship?</text>
-</g>
-<!-- anonymous&#45;&gt;censorship -->
-<g id="edge3" class="edge">
-<title>anonymous&#45;&gt;censorship</title>
-<path fill="none" stroke="white" d="M72,-675.98C72,-675.98 72,-650.11 72,-650.11"/>
-<polygon fill="white" stroke="white" points="72,-640.11 76.5,-650.11 72,-645.11 72,-650.11 72,-650.11 72,-650.11 72,-645.11 67.5,-650.11 72,-640.11 72,-640.11"/>
-<text text-anchor="middle" x="63.5" y="-651.85" font-family="monospace" font-size="14.00" fill="white">No</text>
-</g>
-<!-- tor -->
-<g id="node8" class="node">
-<title>tor</title>
-<path fill="#7aa0da" stroke="#7aa0da" d="M300,-697.5C300,-697.5 406,-697.5 406,-697.5 412,-697.5 418,-703.5 418,-709.5 418,-709.5 418,-757.5 418,-757.5 418,-763.5 412,-769.5 406,-769.5 406,-769.5 300,-769.5 300,-769.5 294,-769.5 288,-763.5 288,-757.5 288,-757.5 288,-709.5 288,-709.5 288,-703.5 294,-697.5 300,-697.5"/>
-<text text-anchor="middle" x="353" y="-729.8" font-family="monospace" font-size="14.00">Use Tor</text>
-</g>
-<!-- anonymous&#45;&gt;tor -->
-<g id="edge2" class="edge">
-<title>anonymous&#45;&gt;tor</title>
-<path fill="none" stroke="white" d="M143.64,-733C143.64,-733 277.75,-733 277.75,-733"/>
-<polygon fill="white" stroke="white" points="287.75,-733 277.75,-737.5 282.75,-733 277.75,-733 277.75,-733 277.75,-733 282.75,-733 277.75,-728.5 287.75,-733 287.75,-733"/>
-<text text-anchor="middle" x="198.19" y="-736.8" font-family="monospace" font-size="14.00" fill="white">Yes</text>
-</g>
-<!-- privacy -->
-<g id="node5" class="node">
-<title>privacy</title>
-<polygon fill="#ffebc2" stroke="#ffebc2" points="212,-489 140,-431.5 212,-374 284,-431.5 212,-489"/>
-<text text-anchor="middle" x="212" y="-435.3" font-family="monospace" font-size="14.00">Want privacy</text>
-<text text-anchor="middle" x="212" y="-420.3" font-family="monospace" font-size="14.00"> from ISP?</text>
-</g>
-<!-- censorship&#45;&gt;privacy -->
-<g id="edge5" class="edge">
-<title>censorship&#45;&gt;privacy</title>
-<path fill="none" stroke="white" d="M84.7,-535C115.31,-535 190.67,-535 190.67,-535 190.67,-535 190.67,-482.11 190.67,-482.11"/>
-<polygon fill="white" stroke="white" points="190.67,-472.11 195.17,-482.11 190.67,-477.11 190.67,-482.11 190.67,-482.11 190.67,-482.11 190.67,-477.11 186.17,-482.11 190.67,-472.11 190.67,-472.11"/>
-<text text-anchor="middle" x="155.63" y="-538.8" font-family="monospace" font-size="14.00" fill="white">No</text>
-</g>
-<!-- vpnOrTor -->
-<g id="node9" class="node">
-<title>vpnOrTor</title>
-<path fill="#7aa0da" stroke="#7aa0da" d="M300,-546.5C300,-546.5 406,-546.5 406,-546.5 412,-546.5 418,-552.5 418,-558.5 418,-558.5 418,-606.5 418,-606.5 418,-612.5 412,-618.5 406,-618.5 406,-618.5 300,-618.5 300,-618.5 294,-618.5 288,-612.5 288,-606.5 288,-606.5 288,-558.5 288,-558.5 288,-552.5 294,-546.5 300,-546.5"/>
-<text text-anchor="middle" x="353" y="-586.3" font-family="monospace" font-size="14.00">Use VPN</text>
-<text text-anchor="middle" x="353" y="-571.3" font-family="monospace" font-size="14.00"> or Tor</text>
-</g>
-<!-- censorship&#45;&gt;vpnOrTor -->
-<g id="edge4" class="edge">
-<title>censorship&#45;&gt;vpnOrTor</title>
-<path fill="none" stroke="white" d="M129.88,-594C129.88,-594 277.82,-594 277.82,-594"/>
-<polygon fill="white" stroke="white" points="287.82,-594 277.82,-598.5 282.82,-594 277.82,-594 277.82,-594 277.82,-594 282.82,-594 277.82,-589.5 287.82,-594 287.82,-594"/>
-<text text-anchor="middle" x="191.35" y="-597.8" font-family="monospace" font-size="14.00" fill="white">Yes</text>
-</g>
-<!-- obnoxious -->
-<g id="node6" class="node">
-<title>obnoxious</title>
-<polygon fill="#ffebc2" stroke="#ffebc2" points="212,-338 140,-280.5 212,-223 284,-280.5 212,-338"/>
-<text text-anchor="middle" x="212" y="-291.8" font-family="monospace" font-size="14.00">ISP makes</text>
-<text text-anchor="middle" x="212" y="-276.8" font-family="monospace" font-size="14.00"> obnoxious</text>
-<text text-anchor="middle" x="212" y="-261.8" font-family="monospace" font-size="14.00"> redirects?</text>
-</g>
-<!-- privacy&#45;&gt;obnoxious -->
-<g id="edge7" class="edge">
-<title>privacy&#45;&gt;obnoxious</title>
-<path fill="none" stroke="white" d="M212,-373.98C212,-373.98 212,-348.11 212,-348.11"/>
-<polygon fill="white" stroke="white" points="212,-338.11 216.5,-348.11 212,-343.11 212,-348.11 212,-348.11 212,-348.11 212,-343.11 207.5,-348.11 212,-338.11 212,-338.11"/>
-<text text-anchor="middle" x="203.5" y="-349.85" font-family="monospace" font-size="14.00" fill="white">No</text>
-</g>
-<!-- privacy&#45;&gt;vpnOrTor -->
-<g id="edge6" class="edge">
-<title>privacy&#45;&gt;vpnOrTor</title>
-<path fill="none" stroke="white" d="M237.33,-468.98C237.33,-510 237.33,-570 237.33,-570 237.33,-570 277.73,-570 277.73,-570"/>
-<polygon fill="white" stroke="white" points="287.73,-570 277.73,-574.5 282.73,-570 277.73,-570 277.73,-570 277.73,-570 282.73,-570 277.73,-565.5 287.73,-570 287.73,-570"/>
-<text text-anchor="middle" x="224.83" y="-543.49" font-family="monospace" font-size="14.00" fill="white">Yes</text>
-</g>
-<!-- ispDNS -->
-<g id="node7" class="node">
-<title>ispDNS</title>
-<polygon fill="#ffebc2" stroke="#ffebc2" points="212,-187 140,-129.5 212,-72 284,-129.5 212,-187"/>
-<text text-anchor="middle" x="212" y="-148.3" font-family="monospace" font-size="14.00">Does ISP</text>
-<text text-anchor="middle" x="212" y="-133.3" font-family="monospace" font-size="14.00"> support</text>
-<text text-anchor="middle" x="212" y="-118.3" font-family="monospace" font-size="14.00"> encrypted</text>
-<text text-anchor="middle" x="212" y="-103.3" font-family="monospace" font-size="14.00"> DNS?</text>
-</g>
-<!-- obnoxious&#45;&gt;ispDNS -->
-<g id="edge9" class="edge">
-<title>obnoxious&#45;&gt;ispDNS</title>
-<path fill="none" stroke="white" d="M212,-222.98C212,-222.98 212,-197.11 212,-197.11"/>
-<polygon fill="white" stroke="white" points="212,-187.11 216.5,-197.11 212,-192.11 212,-197.11 212,-197.11 212,-197.11 212,-192.11 207.5,-197.11 212,-187.11 212,-187.11"/>
-<text text-anchor="middle" x="203.5" y="-198.85" font-family="monospace" font-size="14.00" fill="white">No</text>
-</g>
-<!-- encryptedDNS -->
-<g id="node10" class="node">
-<title>encryptedDNS</title>
-<path fill="#7aa0da" stroke="#7aa0da" d="M440,-244.5C440,-244.5 546,-244.5 546,-244.5 552,-244.5 558,-250.5 558,-256.5 558,-256.5 558,-304.5 558,-304.5 558,-310.5 552,-316.5 546,-316.5 546,-316.5 440,-316.5 440,-316.5 434,-316.5 428,-310.5 428,-304.5 428,-304.5 428,-256.5 428,-256.5 428,-250.5 434,-244.5 440,-244.5"/>
-<text text-anchor="middle" x="493" y="-291.8" font-family="monospace" font-size="14.00">Use encrypted</text>
-<text text-anchor="middle" x="493" y="-276.8" font-family="monospace" font-size="14.00"> DNS with 3rd</text>
-<text text-anchor="middle" x="493" y="-261.8" font-family="monospace" font-size="14.00"> party</text>
-</g>
-<!-- obnoxious&#45;&gt;encryptedDNS -->
-<g id="edge8" class="edge">
-<title>obnoxious&#45;&gt;encryptedDNS</title>
-<path fill="none" stroke="white" d="M283.64,-280C283.64,-280 417.75,-280 417.75,-280"/>
-<polygon fill="white" stroke="white" points="427.75,-280 417.75,-284.5 422.75,-280 417.75,-280 417.75,-280 417.75,-280 422.75,-280 417.75,-275.5 427.75,-280 427.75,-280"/>
-<text text-anchor="middle" x="338.19" y="-283.8" font-family="monospace" font-size="14.00" fill="white">Yes</text>
-</g>
-<!-- ispDNS&#45;&gt;nothing -->
-<g id="edge11" class="edge">
-<title>ispDNS&#45;&gt;nothing</title>
-<path fill="none" stroke="white" d="M212,-71.79C212,-71.79 212,-46.13 212,-46.13"/>
-<polygon fill="white" stroke="white" points="212,-36.13 216.5,-46.13 212,-41.13 212,-46.13 212,-46.13 212,-46.13 212,-41.13 207.5,-46.13 212,-36.13 212,-36.13"/>
-<text text-anchor="middle" x="203.5" y="-47.76" font-family="monospace" font-size="14.00" fill="white">No</text>
-</g>
-<!-- useISP -->
-<g id="node11" class="node">
-<title>useISP</title>
-<path fill="#7aa0da" stroke="#7aa0da" d="M440,-93.5C440,-93.5 546,-93.5 546,-93.5 552,-93.5 558,-99.5 558,-105.5 558,-105.5 558,-153.5 558,-153.5 558,-159.5 552,-165.5 546,-165.5 546,-165.5 440,-165.5 440,-165.5 434,-165.5 428,-159.5 428,-153.5 428,-153.5 428,-105.5 428,-105.5 428,-99.5 434,-93.5 440,-93.5"/>
-<text text-anchor="middle" x="493" y="-133.3" font-family="monospace" font-size="14.00">Use encrypted</text>
-<text text-anchor="middle" x="493" y="-118.3" font-family="monospace" font-size="14.00"> DNS with ISP</text>
-</g>
-<!-- ispDNS&#45;&gt;useISP -->
-<g id="edge10" class="edge">
-<title>ispDNS&#45;&gt;useISP</title>
-<path fill="none" stroke="white" d="M283.64,-129C283.64,-129 417.75,-129 417.75,-129"/>
-<polygon fill="white" stroke="white" points="427.75,-129 417.75,-133.5 422.75,-129 417.75,-129 417.75,-129 417.75,-129 422.75,-129 417.75,-124.5 427.75,-129 427.75,-129"/>
-<text text-anchor="middle" x="338.19" y="-132.8" font-family="monospace" font-size="14.00" fill="white">Yes</text>
-</g>
-</g>
-</svg>

docs/assets/img/dns/dns.svg

@@ -1,166 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
- "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
-<!-- Generated by graphviz version 2.48.0 (0)
- -->
-<!-- Title: DNS Pages: 1 -->
-<svg width="630pt" height="935pt"
- viewBox="0.00 0.00 630.00 935.00" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
-<g id="graph0" class="graph" transform="scale(1 1) rotate(0) translate(36 899)">
-<title>DNS</title>
-<!-- Start -->
-<g id="node1" class="node">
-<title>Start</title>
-<path fill="#d4bbd2" stroke="#d4bbd2" d="M89,-863C89,-863 55,-863 55,-863 49,-863 43,-857 43,-851 43,-851 43,-839 43,-839 43,-833 49,-827 55,-827 55,-827 89,-827 89,-827 95,-827 101,-833 101,-839 101,-839 101,-851 101,-851 101,-857 95,-863 89,-863"/>
-<text text-anchor="middle" x="72" y="-841.3" font-family="monospace" font-size="14.00">Start</text>
-</g>
-<!-- anonymous -->
-<g id="node3" class="node">
-<title>anonymous</title>
-<polygon fill="#ffebc2" stroke="#ffebc2" points="72,-791 0,-733.5 72,-676 144,-733.5 72,-791"/>
-<text text-anchor="middle" x="72" y="-737.3" font-family="monospace" font-size="14.00">Trying to be</text>
-<text text-anchor="middle" x="72" y="-722.3" font-family="monospace" font-size="14.00"> anonymous?</text>
-</g>
-<!-- Start&#45;&gt;anonymous -->
-<g id="edge1" class="edge">
-<title>Start&#45;&gt;anonymous</title>
-<path fill="none" stroke="black" d="M72,-826.59C72,-826.59 72,-801.45 72,-801.45"/>
-<polygon fill="black" stroke="black" points="72,-791.45 76.5,-801.45 72,-796.45 72,-801.45 72,-801.45 72,-801.45 72,-796.45 67.5,-801.45 72,-791.45 72,-791.45"/>
-</g>
-<!-- nothing -->
-<g id="node2" class="node">
-<title>nothing</title>
-<path fill="#d4bbd2" stroke="#d4bbd2" d="M249.5,-36C249.5,-36 174.5,-36 174.5,-36 168.5,-36 162.5,-30 162.5,-24 162.5,-24 162.5,-12 162.5,-12 162.5,-6 168.5,0 174.5,0 174.5,0 249.5,0 249.5,0 255.5,0 261.5,-6 261.5,-12 261.5,-12 261.5,-24 261.5,-24 261.5,-30 255.5,-36 249.5,-36"/>
-<text text-anchor="middle" x="212" y="-14.3" font-family="monospace" font-size="14.00">Do nothing</text>
-</g>
-<!-- censorship -->
-<g id="node4" class="node">
-<title>censorship</title>
-<polygon fill="#ffebc2" stroke="#ffebc2" points="72,-640 0,-582.5 72,-525 144,-582.5 72,-640"/>
-<text text-anchor="middle" x="72" y="-586.3" font-family="monospace" font-size="14.00">Avoiding</text>
-<text text-anchor="middle" x="72" y="-571.3" font-family="monospace" font-size="14.00"> censorship?</text>
-</g>
-<!-- anonymous&#45;&gt;censorship -->
-<g id="edge3" class="edge">
-<title>anonymous&#45;&gt;censorship</title>
-<path fill="none" stroke="black" d="M72,-675.98C72,-675.98 72,-650.11 72,-650.11"/>
-<polygon fill="black" stroke="black" points="72,-640.11 76.5,-650.11 72,-645.11 72,-650.11 72,-650.11 72,-650.11 72,-645.11 67.5,-650.11 72,-640.11 72,-640.11"/>
-<text text-anchor="middle" x="63.5" y="-651.85" font-family="monospace" font-size="14.00">No</text>
-</g>
-<!-- tor -->
-<g id="node8" class="node">
-<title>tor</title>
-<path fill="#7aa0da" stroke="#7aa0da" d="M300,-697.5C300,-697.5 406,-697.5 406,-697.5 412,-697.5 418,-703.5 418,-709.5 418,-709.5 418,-757.5 418,-757.5 418,-763.5 412,-769.5 406,-769.5 406,-769.5 300,-769.5 300,-769.5 294,-769.5 288,-763.5 288,-757.5 288,-757.5 288,-709.5 288,-709.5 288,-703.5 294,-697.5 300,-697.5"/>
-<text text-anchor="middle" x="353" y="-729.8" font-family="monospace" font-size="14.00">Use Tor</text>
-</g>
-<!-- anonymous&#45;&gt;tor -->
-<g id="edge2" class="edge">
-<title>anonymous&#45;&gt;tor</title>
-<path fill="none" stroke="black" d="M143.64,-733C143.64,-733 277.75,-733 277.75,-733"/>
-<polygon fill="black" stroke="black" points="287.75,-733 277.75,-737.5 282.75,-733 277.75,-733 277.75,-733 277.75,-733 282.75,-733 277.75,-728.5 287.75,-733 287.75,-733"/>
-<text text-anchor="middle" x="198.19" y="-736.8" font-family="monospace" font-size="14.00">Yes</text>
-</g>
-<!-- privacy -->
-<g id="node5" class="node">
-<title>privacy</title>
-<polygon fill="#ffebc2" stroke="#ffebc2" points="212,-489 140,-431.5 212,-374 284,-431.5 212,-489"/>
-<text text-anchor="middle" x="212" y="-435.3" font-family="monospace" font-size="14.00">Want privacy</text>
-<text text-anchor="middle" x="212" y="-420.3" font-family="monospace" font-size="14.00"> from ISP?</text>
-</g>
-<!-- censorship&#45;&gt;privacy -->
-<g id="edge5" class="edge">
-<title>censorship&#45;&gt;privacy</title>
-<path fill="none" stroke="black" d="M84.7,-535C115.31,-535 190.67,-535 190.67,-535 190.67,-535 190.67,-482.11 190.67,-482.11"/>
-<polygon fill="black" stroke="black" points="190.67,-472.11 195.17,-482.11 190.67,-477.11 190.67,-482.11 190.67,-482.11 190.67,-482.11 190.67,-477.11 186.17,-482.11 190.67,-472.11 190.67,-472.11"/>
-<text text-anchor="middle" x="155.63" y="-538.8" font-family="monospace" font-size="14.00">No</text>
-</g>
-<!-- vpnOrTor -->
-<g id="node9" class="node">
-<title>vpnOrTor</title>
-<path fill="#7aa0da" stroke="#7aa0da" d="M300,-546.5C300,-546.5 406,-546.5 406,-546.5 412,-546.5 418,-552.5 418,-558.5 418,-558.5 418,-606.5 418,-606.5 418,-612.5 412,-618.5 406,-618.5 406,-618.5 300,-618.5 300,-618.5 294,-618.5 288,-612.5 288,-606.5 288,-606.5 288,-558.5 288,-558.5 288,-552.5 294,-546.5 300,-546.5"/>
-<text text-anchor="middle" x="353" y="-586.3" font-family="monospace" font-size="14.00">Use VPN</text>
-<text text-anchor="middle" x="353" y="-571.3" font-family="monospace" font-size="14.00"> or Tor</text>
-</g>
-<!-- censorship&#45;&gt;vpnOrTor -->
-<g id="edge4" class="edge">
-<title>censorship&#45;&gt;vpnOrTor</title>
-<path fill="none" stroke="black" d="M129.88,-594C129.88,-594 277.82,-594 277.82,-594"/>
-<polygon fill="black" stroke="black" points="287.82,-594 277.82,-598.5 282.82,-594 277.82,-594 277.82,-594 277.82,-594 282.82,-594 277.82,-589.5 287.82,-594 287.82,-594"/>
-<text text-anchor="middle" x="191.35" y="-597.8" font-family="monospace" font-size="14.00">Yes</text>
-</g>
-<!-- obnoxious -->
-<g id="node6" class="node">
-<title>obnoxious</title>
-<polygon fill="#ffebc2" stroke="#ffebc2" points="212,-338 140,-280.5 212,-223 284,-280.5 212,-338"/>
-<text text-anchor="middle" x="212" y="-291.8" font-family="monospace" font-size="14.00">ISP makes</text>
-<text text-anchor="middle" x="212" y="-276.8" font-family="monospace" font-size="14.00"> obnoxious</text>
-<text text-anchor="middle" x="212" y="-261.8" font-family="monospace" font-size="14.00"> redirects?</text>
-</g>
-<!-- privacy&#45;&gt;obnoxious -->
-<g id="edge7" class="edge">
-<title>privacy&#45;&gt;obnoxious</title>
-<path fill="none" stroke="black" d="M212,-373.98C212,-373.98 212,-348.11 212,-348.11"/>
-<polygon fill="black" stroke="black" points="212,-338.11 216.5,-348.11 212,-343.11 212,-348.11 212,-348.11 212,-348.11 212,-343.11 207.5,-348.11 212,-338.11 212,-338.11"/>
-<text text-anchor="middle" x="203.5" y="-349.85" font-family="monospace" font-size="14.00">No</text>
-</g>
-<!-- privacy&#45;&gt;vpnOrTor -->
-<g id="edge6" class="edge">
-<title>privacy&#45;&gt;vpnOrTor</title>
-<path fill="none" stroke="black" d="M237.33,-468.98C237.33,-510 237.33,-570 237.33,-570 237.33,-570 277.73,-570 277.73,-570"/>
-<polygon fill="black" stroke="black" points="287.73,-570 277.73,-574.5 282.73,-570 277.73,-570 277.73,-570 277.73,-570 282.73,-570 277.73,-565.5 287.73,-570 287.73,-570"/>
-<text text-anchor="middle" x="224.83" y="-543.49" font-family="monospace" font-size="14.00">Yes</text>
-</g>
-<!-- ispDNS -->
-<g id="node7" class="node">
-<title>ispDNS</title>
-<polygon fill="#ffebc2" stroke="#ffebc2" points="212,-187 140,-129.5 212,-72 284,-129.5 212,-187"/>
-<text text-anchor="middle" x="212" y="-148.3" font-family="monospace" font-size="14.00">Does ISP</text>
-<text text-anchor="middle" x="212" y="-133.3" font-family="monospace" font-size="14.00"> support</text>
-<text text-anchor="middle" x="212" y="-118.3" font-family="monospace" font-size="14.00"> encrypted</text>
-<text text-anchor="middle" x="212" y="-103.3" font-family="monospace" font-size="14.00"> DNS?</text>
-</g>
-<!-- obnoxious&#45;&gt;ispDNS -->
-<g id="edge9" class="edge">
-<title>obnoxious&#45;&gt;ispDNS</title>
-<path fill="none" stroke="black" d="M212,-222.98C212,-222.98 212,-197.11 212,-197.11"/>
-<polygon fill="black" stroke="black" points="212,-187.11 216.5,-197.11 212,-192.11 212,-197.11 212,-197.11 212,-197.11 212,-192.11 207.5,-197.11 212,-187.11 212,-187.11"/>
-<text text-anchor="middle" x="203.5" y="-198.85" font-family="monospace" font-size="14.00">No</text>
-</g>
-<!-- encryptedDNS -->
-<g id="node10" class="node">
-<title>encryptedDNS</title>
-<path fill="#7aa0da" stroke="#7aa0da" d="M440,-244.5C440,-244.5 546,-244.5 546,-244.5 552,-244.5 558,-250.5 558,-256.5 558,-256.5 558,-304.5 558,-304.5 558,-310.5 552,-316.5 546,-316.5 546,-316.5 440,-316.5 440,-316.5 434,-316.5 428,-310.5 428,-304.5 428,-304.5 428,-256.5 428,-256.5 428,-250.5 434,-244.5 440,-244.5"/>
-<text text-anchor="middle" x="493" y="-291.8" font-family="monospace" font-size="14.00">Use encrypted</text>
-<text text-anchor="middle" x="493" y="-276.8" font-family="monospace" font-size="14.00"> DNS with 3rd</text>
-<text text-anchor="middle" x="493" y="-261.8" font-family="monospace" font-size="14.00"> party</text>
-</g>
-<!-- obnoxious&#45;&gt;encryptedDNS -->
-<g id="edge8" class="edge">
-<title>obnoxious&#45;&gt;encryptedDNS</title>
-<path fill="none" stroke="black" d="M283.64,-280C283.64,-280 417.75,-280 417.75,-280"/>
-<polygon fill="black" stroke="black" points="427.75,-280 417.75,-284.5 422.75,-280 417.75,-280 417.75,-280 417.75,-280 422.75,-280 417.75,-275.5 427.75,-280 427.75,-280"/>
-<text text-anchor="middle" x="338.19" y="-283.8" font-family="monospace" font-size="14.00">Yes</text>
-</g>
-<!-- ispDNS&#45;&gt;nothing -->
-<g id="edge11" class="edge">
-<title>ispDNS&#45;&gt;nothing</title>
-<path fill="none" stroke="black" d="M212,-71.79C212,-71.79 212,-46.13 212,-46.13"/>
-<polygon fill="black" stroke="black" points="212,-36.13 216.5,-46.13 212,-41.13 212,-46.13 212,-46.13 212,-46.13 212,-41.13 207.5,-46.13 212,-36.13 212,-36.13"/>
-<text text-anchor="middle" x="203.5" y="-47.76" font-family="monospace" font-size="14.00">No</text>
-</g>
-<!-- useISP -->
-<g id="node11" class="node">
-<title>useISP</title>
-<path fill="#7aa0da" stroke="#7aa0da" d="M440,-93.5C440,-93.5 546,-93.5 546,-93.5 552,-93.5 558,-99.5 558,-105.5 558,-105.5 558,-153.5 558,-153.5 558,-159.5 552,-165.5 546,-165.5 546,-165.5 440,-165.5 440,-165.5 434,-165.5 428,-159.5 428,-153.5 428,-153.5 428,-105.5 428,-105.5 428,-99.5 434,-93.5 440,-93.5"/>
-<text text-anchor="middle" x="493" y="-133.3" font-family="monospace" font-size="14.00">Use encrypted</text>
-<text text-anchor="middle" x="493" y="-118.3" font-family="monospace" font-size="14.00"> DNS with ISP</text>
-</g>
-<!-- ispDNS&#45;&gt;useISP -->
-<g id="edge10" class="edge">
-<title>ispDNS&#45;&gt;useISP</title>
-<path fill="none" stroke="black" d="M283.64,-129C283.64,-129 417.75,-129 417.75,-129"/>
-<polygon fill="black" stroke="black" points="427.75,-129 417.75,-133.5 422.75,-129 417.75,-129 417.75,-129 417.75,-129 422.75,-129 417.75,-124.5 427.75,-129 427.75,-129"/>
-<text text-anchor="middle" x="338.19" y="-132.8" font-family="monospace" font-size="14.00">Yes</text>
-</g>
-</g>
-</svg>

docs/browsers.en.md

@@ -95,7 +95,7 @@ You can still stay logged into websites by allowing exceptions.
 
 #### Sync
 
-The [Firefox sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) service is end-to-end encrypted.
+The [Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) service is end-to-end encrypted.
 
 #### Extensions
 

docs/dns.en.md

@@ -15,7 +15,7 @@ icon: material/dns
 | ------------ | -------------- | ---- | --------- | ------- | --- | --------- |
 | [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Commercial | Cleartext <br> DoH <br> DoT <br> DNSCrypt | Some[^1] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS)
 | [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Commercial | Cleartext <br> DoH <br> DoT | Some[^2] | No | Based on server choice.|
-| [**ControlID**](https://controld.com) | [:octicons-link-external-24:](https://controld.com/privacy) | Commercial | Cleartext <br> DoH <br> DoT | Optional[^3] | No |  Based on server choice.  |
+| [**ControlD**](https://controld.com) | [:octicons-link-external-24:](https://controld.com/privacy) | Commercial | Cleartext <br> DoH <br> DoT | Optional[^3] | No |  Based on server choice.  |
 | [**MullvadDNS**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | Commercial | DoH <br> DoT | No[^4] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock)
 | [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Commercial | Cleartext <br> DoH <br> DoT <br> DNSCrypt | Optional[^5] | Optional | Based on server choice. |
 | [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Non-Profit | Cleartext <br> DoH <br> DoT <br> DNSCrypt | Some[^6] | Optional |  Based on server choice, Malware blocking by default. |
@@ -32,6 +32,7 @@ The criteria for the servers listed above are:
 - Must support [DNSSEC](technology/dns.md#what-is-dnssec-and-when-is-it-used)
 - Must have [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) support
 - [QNAME Minimization](technology/dns.md#what-is-qname-minimization)
+- Allow for [ECS](technology/dns.md#what-is-edns-client-subnet-ecs) to be disabled
 
 ## Native Operating System Support
 

docs/email-clients.en.md

@@ -138,15 +138,15 @@ Our recommendation list contains email clients that support both [OpenPGP](encry
 
 Canary Mail is closed source. We recommend it, due to the few choices there are for email clients on iOS that support [Pretty Good Privacy (PGP)](https://en.wikipedia.org/wiki/Pretty_Good_Privacy), end-to-end encryption (E2EE).
 
-### Neomutt
+### NeoMutt
 
 !!! recommendation
 
-    ![Neomutt logo](assets/img/email-clients/mutt.svg){ align=right }
+    ![NeoMutt logo](assets/img/email-clients/mutt.svg){ align=right }
 
     NeoMutt is an open-source command line mail reader (or MUA) for Linux and BSD. It's a fork of [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client)) with added features.
-    
-    Neomut is a text-based client that has a steep learning curve. It is however, very customizable.
+
+    NeoMutt is a text-based client that has a steep learning curve. It is however, very customizable.
 
     [Visit neomutt.org](https://neomutt.org){ .md-button .md-button--primary }
 

docs/linux-desktop.en.md

@@ -30,7 +30,7 @@ Fedora has a semi-[rolling release](https://en.wikipedia.org/wiki/Rolling_releas
 
     [Visit get.opensuse.org](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary }
 
-Tumbleweed follows a rolling release model where each update is released as a snapshot of the distribution. When the user upgrades their system, a new snapshot is downloaded. Each snapshot is run through a series of automated tests by the [openSUSE Build Service](https://build.opensuse.org) to ensure its quality.
+Tumbleweed follows a rolling release model where each update is released as a snapshot of the distribution. When the user upgrades their system, a new snapshot is downloaded. Each snapshot is run through a series of automated tests by [openQA](https://openqa.opensuse.org) to ensure its quality.
 
 ### Arch Linux
 
@@ -64,7 +64,7 @@ Silverblue (and Kinoite) differ from Fedora Workstation as they replace the [DNF
 
 After the update is complete the user will reboot the system into the new deployment. `rpm-ostree` keeps two deployments of the system so that a user can easily rollback if something breaks in the new deployment. There is also the option to pin more deployments as needed.
 
-[Flatpak](https://www.flatpak.org) is the primary package installation method on these distrbutions, as `rpm-ostree` is only meant to overlay packages that cannot stay inside of a container on top of the base image.
+[Flatpak](https://www.flatpak.org) is the primary package installation method on these distributions, as `rpm-ostree` is only meant to overlay packages that cannot stay inside of a container on top of the base image.
 
 As an alternative to Flatpaks, there is the option of [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) to create [Podman](https://podman.io) containers with a shared home directory with the host operating system and mimic a traditional Fedora environment, which is a [useful feature](https://containertoolbx.org) for the discerning developer.
 
@@ -84,7 +84,7 @@ NixOS also provides atomic updates; first it downloads (or builds) the packages
 
 Nix the package manager uses a purely functional language - which is also called Nix - to define packages.
 
-[Nixpkgs](https://github.com/nixos/nixpkgs) (the main source of packages) are contained in a single Github repository. You can also define your own packages in the same language and then easily include them in your config.
+[Nixpkgs](https://github.com/nixos/nixpkgs) (the main source of packages) are contained in a single GitHub repository. You can also define your own packages in the same language and then easily include them in your config.
 
 Nix is a source-based package manager; if there’s no pre-built available in the binary cache, Nix will just build the package from source using its definition. It builds each package in a sandboxed *pure* environment, which is as independent of the host system as possible, thus making binaries reproducible.
 
@@ -104,7 +104,7 @@ Whonix is meant to run as two virtual machines: a “Workstation” and a Tor
 
 Some of its features include Tor Stream Isolation, [keystroke anonymization](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [encrypted swap](https://github.com/Whonix/swap-file-creator), and a hardened memory allocator.
 
-Future versions of Whonix will likely include [full system Apparmor policies](https://github.com/Whonix/apparmor-profile-everything) and a [sandbox app launcher](https://www.whonix.org/wiki/Sandbox-app-launcher) to fully confine all processes on the system.
+Future versions of Whonix will likely include [full system AppArmor policies](https://github.com/Whonix/apparmor-profile-everything) and a [sandbox app launcher](https://www.whonix.org/wiki/Sandbox-app-launcher) to fully confine all processes on the system.
 
 Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers).
 
@@ -116,7 +116,7 @@ Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qube
 
     **Tails** is a live operating system based on Debian that routes all communications through Tor.
 
-    It can boot on almost any computer from a DVD, USB stick, or sdcard. It aims to preserve privacy and anonymity while circumventing censorship and leaving no trace of itself on the computer it is used on.
+    It can boot on almost any computer from a DVD, USB stick, or SD card. It aims to preserve privacy and anonymity while circumventing censorship and leaving no trace of itself on the computer it is used on.
 
     [Visit tails.boum.org](https://tails.boum.org/){ .md-button .md-button--primary }
 
@@ -215,7 +215,7 @@ We recommend using a desktop environment that supports the [Wayland](https://en.
 
 Fortunately, common environments such as [GNOME](https://www.gnome.org), [KDE](https://kde.org), and the window manager [Sway](https://swaywm.org) have support for Wayland. Some distributions like Fedora and Tumbleweed use it by default and some others may do so in the future as X11 is in [hard maintenance mode](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). If you’re using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)).
 
-We recommend **against** using desktop environments or window managers that do not have Wayland support such as Cinnamon (default on Linux Mint), Pantheon (default on Elementary OS), MATE, XFCE, and i3.
+We recommend **against** using desktop environments or window managers that do not have Wayland support such as Cinnamon (default on Linux Mint), Pantheon (default on Elementary OS), MATE, Xfce, and i3.
 
 ### Proprietary firmware (microcode updates)
 
@@ -314,7 +314,7 @@ Red Hat develops [Podman](https://docs.podman.io/en/latest/) and secures it with
 
 Another option is [Kata containers](https://katacontainers.io/), where virtual machines masquerade as containers. Each Kata container has its own Linux kernel and is isolated from the host.
 
-These container technologies can be useful even for enthusiastic home users who may want to run certain web app software on their local area network (LAN) such as [vaultwarden](https://github.com/dani-garcia/vaultwarden) or images provided by [linuxserver.io](https://www.linuxserver.io) to increase privacy by decreasing dependence on various web services.
+These container technologies can be useful even for enthusiastic home users who may want to run certain web app software on their local area network (LAN) such as [Vaultwarden](https://github.com/dani-garcia/vaultwarden) or images provided by [linuxserver.io](https://www.linuxserver.io) to increase privacy by decreasing dependence on various web services.
 
 ## Additional hardening
 

docs/metadata-removal-tools.en.md

@@ -31,7 +31,7 @@ When sharing files, be sure to remove associated metadata. Image files commonly
 
     ![ExifCleaner logo](assets/img/metadata-removal/exifcleaner.svg){ align=right }
 
-    **ExifCleaner** is a freeware, open source graphical app that uses [ExifTool](https://exiftool.org) to remove [EXIF](https://en.wikipedia.org/wiki/Exif) metadata from images, videos, and PDF documents using a simple drag and drop interface. It supports multi-core batch processing and dark mode.
+    **ExifCleaner** is a freeware, open source graphical app that uses [ExifTool](https://exiftool.org) to remove EXIF metadata from images, videos, and PDF documents using a simple drag and drop interface. It supports multi-core batch processing and dark mode.
 
     [Visit exifcleaner.com](https://exifcleaner.com){ .md-button .md-button--primary }
 
@@ -49,7 +49,7 @@ When sharing files, be sure to remove associated metadata. Image files commonly
 
     ![Scrambled Exif logo](assets/img/metadata-removal/scrambled-exif.svg){ align=right }
 
-    **Scrambled Exif** is a metadata removal tool for Android. It can remove [EXIF](https://en.wikipedia.org/wiki/Exif) data for many file formats and has been translated into [many](https://gitlab.com/juanitobananas/scrambled-exif/-/tree/master/app/src/main/res) languages.
+    **Scrambled Exif** is a metadata removal tool for Android. It can remove EXIF data for many file formats and has been translated into [many](https://gitlab.com/juanitobananas/scrambled-exif/-/tree/master/app/src/main/res) languages.
 
     [Visit gitlab.com](https://gitlab.com/juanitobananas/scrambled-exif){ .md-button .md-button--primary }
 
@@ -68,7 +68,7 @@ When sharing files, be sure to remove associated metadata. Image files commonly
 
     ![Imagepipe logo](assets/img/metadata-removal/imagepipe.svg){ align=right }
 
-    **Imagepipe** is a a paint app for Android that can be used to redact photos and also delete [EXIF](https://en.wikipedia.org/wiki/Exif) metadata. It has been translated into [many](https://codeberg.org/Starfish/Imagepipe#translations) languages.
+    **Imagepipe** is a a paint app for Android that can be used to redact photos and also delete EXIF metadata. It has been translated into [many](https://codeberg.org/Starfish/Imagepipe#translations) languages.
 
     [Visit codeberg.org](https://codeberg.org/Starfish/Imagepipe){ .md-button .md-button--primary }
 
@@ -101,7 +101,7 @@ When sharing files, be sure to remove associated metadata. Image files commonly
 
     ![ExifTool logo](assets/img/metadata-removal/exiftool.png){ align=right }
 
-    **ExifTool** is the [original](https://en.wikipedia.org/wiki/ExifTool) perl library and command-line application for reading, writing, and editing meta information (EXIF, IPTC, XMP, and more) in a wide variety of file formats (JPEG, TIFF, PNG, PDF, RAW, and more).
+    **ExifTool** is the original perl library and command-line application for reading, writing, and editing meta information (EXIF, IPTC, XMP, and more) in a wide variety of file formats (JPEG, TIFF, PNG, PDF, RAW, and more).
 
     It's often a component of other EXIF removal applications and is in most Linux distribution repositories.
 

docs/multi-factor-authentication.en.md

@@ -10,7 +10,7 @@ icon: 'material/two-factor-authentication'
 
     ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png)
 
-    The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 WebAuthn](https://en.wikipedia.org/wiki/WebAuthn), [Yubico OTP](https://developers.yubico.com/OTP/), [PIV](https://en.wikipedia.org/wiki/FIPS_201), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP and HOTP](https://developers.yubico.com/OATH/) authentication.
+    The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](security/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](security/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
 
     One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://www.yubico.com/quiz/) before purchasing in order to make sure you make the right choice.
 
@@ -31,7 +31,7 @@ For models which support HOTP and TOTP, there are 2 slots in the OTP interface w
 
     ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right }
 
-    **Nitrokey** has a security key capable of [FIDO2 WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
+    **Nitrokey** has a security key capable of [FIDO2 and WebAuthn](security/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
 
     [Visit nitrokey.com](https://www.nitrokey.com){ .md-button .md-button--primary } [Privacy Policy](https://www.nitrokey.com/data-privacy-policy){ .md-button }
 

docs/news-aggregators.en.md

@@ -112,7 +112,7 @@ A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to k
 
 Some social media services also support RSS although it's not often advertised.
 
-### Youtube
+### YouTube
 
 You can subscribe YouTube channels without logging in and associating usage information with your Google Account. To subscribe to a YouTube channel with an RSS client, first look for your [channel code](https://support.google.com/youtube/answer/6180214), replace `channel_id` below:
 

docs/passwords.en.md

@@ -7,7 +7,7 @@ Stay safe and secure online with an encrypted and open-source password manager.
 ## Password Best Practices
 
 - Always use unique passwords. Don't make yourself a victim of "[credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing)".
-- Store an exported backup of your passwords in an [encrypted container](encryption) on another storage device. This can be useful if something happens to your device or the service you are using.
+- Store an exported backup of your passwords in an [encrypted container](encryption.md) on another storage device. This can be useful if something happens to your device or the service you are using.
 - If possible, store [Time-based one-time password (TOTP)](https://en.wikipedia.org/wiki/Time-based_one-time_password) tokens in a separate [TOTP app](security/multi-factor-authentication.md#authenticator-apps) and not your password manager. TOTP codes are generated from a "[shared secret](https://en.wikipedia.org/wiki/Time-based_one-time_password#Security)". If the secret is obtained by an adversary they can generate TOTP values. Typically, mobile platforms have better app isolation and more secure methods for storing sensitive credentials.
 
 ## Local Password Managers

docs/search-engines.en.md

@@ -64,7 +64,7 @@ Startpage's majority shareholder is System1 who is an adtech company. We don't t
 
     **Searx** is an open-source, self-hostable, metasearch engine, aggregating the results of other search engines while not storing information about its users. There is a [list of public instances](https://searx.space/).
 
-    [Visit searx.me](https://searx.me){ .md-button .md-button--primary } [:pg-tor:](http://searxspbitokayvkhzhsnljde7rqmn7rvoga6e4waeub3h7ug3nghoad.onion){ .md-button }
+    [Visit searx.github.io](https://searx.github.io/searx){ .md-button .md-button--primary } [:pg-tor:](http://searxspbitokayvkhzhsnljde7rqmn7rvoga6e4waeub3h7ug3nghoad.onion){ .md-button }
 
     **Downloads**
     - [:fontawesome-brands-github: Source](https://github.com/asciimoo/searx)

docs/security/multi-factor-authentication.en.md

@@ -2,51 +2,53 @@
 title: "Multi-factor Authentication"
 icon: 'material/two-factor-authentication'
 ---
-**Multi-factor authentication** (MFA, or 2FA) is a security mechanism that requires additional steps beyond entering your username (or email) and password. The most common method are time limited codes you might receive from an SMS or app.
+**Multi-factor authentication** (MFA, or 2FA) is a security mechanism that requires additional steps beyond entering your username (or email) and password. The most common method is time limited codes you might receive from an SMS or app.
 
-The idea behind MFA is that even if a hacker (or adversary) is able to figure out your password (something you *know*), they will still need a device you own like your phone (something you *have*) in order to generate the code needed to log in to your account. MFA methods vary in security based on this premise: The more difficult it is for an attacker to gain access to your MFA method, the better. Examples of MFA methods (from weakest to strongest) include [SMS codes](https://en.wikipedia.org/wiki/One-time_password#SMS), email codes, app push notifications, [Time-based One-time Passwords (TOTP)](https://en.wikipedia.org/wiki/Time-based_one-time_password), Yubico OTP, and [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) / [U2F](https://en.wikipedia.org/wiki/Universal_2nd_Factor).
+Normally, if a hacker (or adversary) is able to figure out your password then they’d gain access to the account that password belongs to. An account with MFA forces the hacker to have both the password (something you *know*) and a device that you own (something you *have*), like your phone.
+
+MFA methods vary in security, but are based on the premise that the more difficult it is for an attacker to gain access to your MFA method, the better. Examples of MFA methods (from weakest to strongest) include [SMS, Email codes](#sms-or-email-mfa), app push notifications, [Time-based One-time Passwords (TOTP)](#time-based-one-time-password-totp), [Yubico OTP](#yubico-otp), and [FIDO (Fast IDentity Online)](#fido-fast-identity-online).
 
 ## MFA Method Comparison
 
 ### SMS or Email MFA
 
-Receiving codes either from **SMS** or **email** are one of the weaker ways to secure your accounts with MFA. Obtaining a code by email or SMS takes away from the "something you *have*" idea, because there are a variety of ways a hacker could [take over your phone number](https://en.wikipedia.org/wiki/SIM_swap_scam) or gain access to your email without having physical access to any of your devices at all. If an unauthorized person gained access to your email, they would be able to use that access to both reset your password and receive the authentication code, giving them full access to your account.
+Receiving codes either from [**SMS**](https://en.wikipedia.org/wiki/One-time_password#SMS) or **email** are one of the weaker ways to secure your accounts with MFA. Obtaining a code by email or SMS takes away from the "something you *have*" idea, because there are a variety of ways a hacker could [take over your phone number](https://en.wikipedia.org/wiki/SIM_swap_scam) or gain access to your email without having physical access to any of your devices at all. If an unauthorized person gained access to your email, they would be able to use that access to both reset your password and receive the authentication code, giving them full access to your account.
 
 ### Push Notifications
 
-**Push Notifications** take the form of a message being sent to an app on your phone asking you to confirm new account logins. This method is a lot better than SMS or email, since an attacker typically wouldn't be able to get these push notifications without having an already logged-in device, which means they would need to compromise one of your other devices first.
+**Push notifications** take the form of a message being sent to an app on your phone asking you to confirm new account logins. This method is a lot better than SMS or email, since an attacker typically wouldn't be able to get these push notifications without having an already logged-in device, which means they would need to compromise one of your other devices first.
 
 We all make mistakes, and there is the risk that a user may accept the login attempt by accident. Push notification login authorizations are typically sent to *all* your devices at once, widening the availability of the MFA code if you have many devices.
 
-The security of push notification MFA is dependent on both the quality of the app, the server component and the trust of the developer who produces it. Installing an app may also require you to accept invasive privileges that grant access to other data on your device. An individual app also requires that you have a specific app for each service which may not require a password to open unlike a good [Time-based One-time Password (TOTP)](#time-based-one-time-password-totp) app.
+The security of push notification MFA is dependent on both the quality of the app, the server component and the trust of the developer who produces it. Installing an app may also require you to accept invasive privileges that grant access to other data on your device. An individual app also requires that you have a specific app for each service which may not require a password to open, unlike a good [Time-based One-time Password (TOTP)](#time-based-one-time-password-totp) app.
 
 ### Time-based One-time Password (TOTP)
 
-**TOTP** is one of the most commons form of MFA available. When a user sets up TOTP they are generally required to scan a [QR Code](https://en.wikipedia.org/wiki/QR_code) which establishes a "shared secret" with the service that they intend to use. The shared secret is secured inside of the authenticator app's data, and is sometimes protected by a password.
+**TOTP** is one of the most commons form of MFA available. When a user sets up TOTP they are generally required to scan a [QR Code](https://en.wikipedia.org/wiki/QR_code) which establishes a "[shared secret](https://en.wikipedia.org/wiki/Shared_secret)" with the service that they intend to use. The shared secret is secured inside of the authenticator app's data, and is sometimes protected by a password.
 
 The time-limited code is then derived from the shared secret and the current time. As the code is only valid for a short time, without access to the shared secret an adversary cannot generate new codes.
 
-If you have a hardware security key with TOTP support (such as a YubiKey with [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)), we recommend that you store your "shared secrets" on the hardware. Hardware such as the YubiKey was developed with making the "shared secret" difficult to extract and copy. A YubiKey is also not connected to the Internet, unlike a phone with a TOTP app.
+If you have a hardware security key with TOTP support (such as a YubiKey with [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)), we recommend that you store your "shared secrets" on the hardware. Hardware such as the YubiKey was developed with the intention of making the "shared secret" difficult to extract and copy. A YubiKey is also not connected to the Internet, unlike a phone with a TOTP app.
 
-Unlike [FIDO2 / U2F](#fido2-u2f), TOTP offers no protection against [phishing](https://en.wikipedia.org/wiki/Phishing) or reuse attacks. If an adversary obtains a valid code from you they may use it as many times as they like until it expires (generally 60 seconds).
+Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against [phishing](https://en.wikipedia.org/wiki/Phishing) or reuse attacks. If an adversary obtains a valid code from you they may use it as many times as they like until it expires (generally 60 seconds).
 
 An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account.
 
-Although not perfect it is secure enough for most people, and when [Hardware Security Keys](#hardware-security-keys) are not supported TOTP with [Authenticator Apps](#authenticator-apps) are still a good option.
+Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](/multi-factor-authentication/#hardware-security-keys) are not supported [authenticator apps](/multi-factor-authentication/#authenticator-apps) are still a good option.
 
 ### Hardware security keys
 
 The YubiKey stores data on a tamper-resistant solid-state chip which is [impossible to access](https://security.stackexchange.com/a/245772) non-destructively without a expensive processes and a forensics laboratory.
 
-As these keys are generally multi-function and provide a number of methods to authenticate we discuss below the most common ones.
+These keys are generally multi-function and provide a number of methods to authenticate. Below are the most common ones.
 
 #### Yubico OTP
 
 Yubico OTP is an authentication protocol typically implemented in hardware security keys. When a user decides to use Yubico OTP, the key will generate a public ID, private ID, and a Secret Key which is then uploaded to the Yubico OTP server.
 
-When logging into a website all a user needs to do is to physically touch the security key. The security key will emulate a keyboard and print out a one-time password into the password field.
+When logging into a website, all a user needs to do is to physically touch the security key. The security key will emulate a keyboard and print out a one-time password into the password field.
 
-The service will then forward the one-time password to the Yubico OTP server for validation. A counter is incremented both on the key and Yubico's validation server. The OTP can only only be used once and when a successful authentication occurs the counter is increased which prevents reuse of the OTP. Yubico does provide a [detailed document](https://developers.yubico.com/OTP/OTPs_Explained.html) about the process.
+The service will then forward the one-time password to the Yubico OTP server for validation. A counter is incremented both on the key and Yubico's validation server. The OTP can only only be used once, and when a successful authentication occurs the counter is increased which prevents reuse of the OTP. Yubico provides a [detailed document](https://developers.yubico.com/OTP/OTPs_Explained.html) about the process.
 
 <figure markdown>
   ![Yubico OTP](../assets/img/multi-factor-authentication/yubico-otp.png)
@@ -54,15 +56,23 @@ The service will then forward the one-time password to the Yubico OTP server for
 
 There are some benefits and disadvantages to using Yubico OTP when compared to [TOTP](#time-based-one-time-password-totp).
 
-The Yubico validation server is a cloud based service, and users do place trust in Yubico that they are storing data securely and not profiling users. The public ID associated with Yubico OTP is reused on every website and could be another avenue for third parties to profile the user. Like [TOTP](#time-based-one-time-password-totp), Yubico OTP does not provide phishing resistance.
+The Yubico validation server is a cloud based service, and users place trust in Yubico that they are storing data securely and not profiling users. The public ID associated with Yubico OTP is reused on every website and could be another avenue for third parties to profile the user. Like [TOTP](#time-based-one-time-password-totp), Yubico OTP does not provide phishing resistance.
 
 If your threat model requires you to have different identities on different websites, **do not** use Yubico OTP with the same hardware security key across those websites as public ID is unique to each security key.
 
-#### FIDO2 / U2F
+#### FIDO (Fast IDentity Online)
 
-[FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) / [**U2F**](https://en.wikipedia.org/wiki/Universal_2nd_Factor) is the most secure and private form of second factor authentication. While the user experience is similar to Yubico OTP, the key does not print out a one-time password and validate with a third party server. Instead FIDO2 (and U2F) use [public key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) for authentication.
+[FIDO](https://en.wikipedia.org/wiki/FIDO_Alliance) includes a number of standards, first there was [U2F](https://en.wikipedia.org/wiki/Universal_2nd_Factor) and then later [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) with the web standard [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn).
 
-When a user creates an account the public key is sent to the service. When the user logs in the service will require the user to "sign" some data with their private key. The benefit of this is that no password data is ever stored by the service, so there is nothing for an adversary to steal.
+U2F and FIDO2 refer to the [CTAP (Client to Authenticator Protocol)](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol), which is the protocol between the security key and the computer, such as a laptop or phone. It complements WebAuthn which is the component used to authenticate with the "Relying Party", the website, you're trying to log in on.
+
+WebAuthn is the most secure and private form of second factor authentication. While the user experience is similar to Yubico OTP, the key does not print out a one-time password and validate with a third party server. Instead it uses [public key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) for authentication.
+
+<figure markdown>
+  ![FIDO](../assets/img/multi-factor-authentication/fido.png)
+</figure>
+
+When a user creates an account the public key is sent to the service, then when the user logs in, the service will require the user to "sign" some data with their private key. The benefit of this is that no password data is ever stored by the service, so there is nothing for an adversary to steal.
 
 This presentation discusses the history of password authentication, the pitfalls (such as password reuse), and discussion of FIDO2 and [WebAuthn](https://webauthn.guide) standards.
 
@@ -74,43 +84,43 @@ This presentation discusses the history of password authentication, the pitfalls
   allowfullscreen>
 </iframe>
 
-FIDO2 / U2F has superior security and privacy properties when compared to any MFA methods.
+FIDO2 and WebAuthn have superior security and privacy properties when compared to any MFA methods.
 
-Typically for web services it is used with [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) which is a part of the [W3C recommendations](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC)). It uses public key authentication and is more secure than shared secrets used in Yubico OTP and TOTP methods, as it includes the origin name (usually, the domain name) during authentication. Attestation is provided to protect the user from phishing as it helps them to determine that they are using the authentic service and not a fake copy.
+Typically for web services it is used with WebAuthn which is a part of the [W3C recommendations](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC)). It uses public key authentication and is more secure than shared secrets used in Yubico OTP and TOTP methods, as it includes the origin name (usually, the domain name) during authentication. Attestation is provided to protect the user from phishing, as it helps them to determine that they are using the authentic service and not a fake copy.
 
-WebAuthn does not use any public ID, so the key is **not** identifiable across different websites like Yubico OTP. It also does not use any third party cloud server for authentication. All communication is completed between the key and the website the user is logging into. FIDO2 / U2F also uses a counter which is incremented upon use in order to prevent session reuse.
+Unlike Yubico OTP, WebAuthn does not use any public ID, so the key is **not** identifiable across different websites. It also does not use any third party cloud server for authentication. All communication is completed between the key and the website the user is logging into. FIDO also uses a counter which is incremented upon use in order to prevent session reuse and cloned keys.
 
-If a website or service supports FIDO2 / U2F for the authentication, it is highly recommended that you use it over any other form of MFA.
+If a website or service supports WebAuthn for the authentication, it is highly recommended that you use it over any other form of MFA.
 
 ## General Recommendations
 
 We have these general recommendations:
 
-### Which method to use?
+### Which method should I use?
 
-When configuring your MFA method, keep in mind that it is only as secure as your weakest authentication method you use. This means it is important that you only use the best MFA method available. For instance, if you are already using TOTP, you should disable email and SMS MFA. If you are already using FIDO2 / U2F, you should not be using Yubico OTP or TOTP on your account.
+When configuring your MFA method, keep in mind that it is only as secure as your weakest authentication method you use. This means it is important that you only use the best MFA method available. For instance, if you are already using TOTP, you should disable email and SMS MFA. If you are already using FIDO2/WebAuthn, you should not be using Yubico OTP or TOTP on your account.
 
 ### Backups
 
 You should always have backups for your MFA method. Hardware security keys can get lost, stolen, or simply stop working over time. It is recommended that you have a pair of hardware security keys with the same access to your accounts instead of just one.
 
-When using TOTP with an authenticator app, be sure to back up your recovery keys, the app itself, or copy the "shared secrets" to another instance of the app on a different phone or into an encrypted container (e.g. [VeraCrypt](../encryption.md#veracrypt)).
+When using TOTP with an authenticator app, be sure to back up your recovery keys or the app itself, or copy the "shared secrets" to another instance of the app on a different phone or to an encrypted container (e.g [VeraCrypt](../encryption.md#veracrypt)).
 
 ### Initial setup
 
-When buying a security key, it is important that you change the default credentials, setup password protection for the key, and enable touch confirmation if your key supports such feature. Products such as the [YubiKey](#yubikey) have multiple interfaces with seperate credentials for each one of them, so you should go over each interface and set up protection as well.
+When buying a security key, it is important that you change the default credentials, setup password protection for the key, and enable touch confirmation if your key supports it. Products such as the [YubiKey](#yubico-otp) have multiple interfaces with separate credentials for each one of them, so you should go over each interface and set up protection as well.
 
 ### Email and SMS
 
 If you have to use email for MFA, make sure that the email account itself is secured with a proper MFA method.
 
-If you use SMS MFA, use a carrier who will not switch your phone number to a new SIM card without account access or use a dedicated VOIP number from a provider with similar security to avoid a [SIM swap](https://en.wikipedia.org/wiki/SIM_swap_scam) attack.
+If you use SMS MFA, use a carrier who will not switch your phone number to a new SIM card without account access, or use a dedicated VoIP number from a provider with similar security to avoid a [SIM swap](https://en.wikipedia.org/wiki/SIM_swap_scam) attack.
 
 [MFA tools we recommend](../multi-factor-authentication.md){ .md-button }
 
 ## More places to setup MFA
 
-Beyond just securing your website logins, multi-factor authentication can be used to secure your local logins, ssh keys or even password databases as well.
+Beyond just securing your website logins, multi-factor authentication can be used to secure your local logins, SSH keys or even password databases as well.
 
 ### Windows
 
@@ -135,11 +145,11 @@ The command will prevent an adversary from bypassing MFA when the computer boots
 !!! warning
     If the [hostname](https://en.wikipedia.org/wiki/Hostname) of your system changes (such as due to DHCP), you would be unable to login. It is vital that you setup a proper hostname for your computer before following this guide.
 
-The `pam_u2f` module on Linux can provide two factor authentication for user login on most popular Linux distributions. If you have a hardware security key that supports U2F, you can set up MFA authentication for your login. Yubico has a guide [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) which should work on any distribution. The package manager commands such as "apt-get" and package names may however differ. This guide does **not** apply to Qubes OS.
+The `pam_u2f` module on Linux can provide two factor authentication for user login on most popular Linux distributions. If you have a hardware security key that supports U2F, you can set up MFA authentication for your login. Yubico has a guide [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) which should work on any distribution. The package manager commands—such as "apt-get"—and package names may however differ. This guide does **not** apply to Qubes OS.
 
 ### Qubes OS
 
-Qubes OS has support for Challenge-Response authentication with YubiKeys. If you have a YubiKey with Challenge-Response authentication support, take a look at the Qubes OS' [YubiKey documentation](https://www.qubes-os.org/doc/yubikey/) if you want to set up MFA on Qubes OS.
+Qubes OS has support for Challenge-Response authentication with YubiKeys. If you have a YubiKey with Challenge-Response authentication support, take a look at the Qubes OS [YubiKey documentation](https://www.qubes-os.org/doc/yubikey/) if you want to set up MFA on Qubes OS.
 
 ### SSH
 
@@ -149,8 +159,8 @@ SSH MFA could be set up using multiple different authentication methods that are
 
 #### Time-based One-time Password (TOTP)
 
-SSH MFA can also be set up using TOTP and DigitalOcean has provided a tutorial [How To Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). Most things should be the same regardless of distribution, however the package manager commands such as "apt-get" and package names may differ.
+SSH MFA can also be set up using TOTP. DigitalOcean has provided a tutorial [How To Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). Most things should be the same regardless of distribution, however the package manager commands—such as "apt-get"—and package names may differ.
 
 ### KeePass (and KeePassXC)
 
-KeePass and KeePassXC databases can be secured using Challenge-Response or HOTP as a second factor authentication. Yubico has provided a documennt for KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) and there is also one on the [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) website.
+KeePass and KeePassXC databases can be secured using Challenge-Response or HOTP as a second factor authentication. Yubico has provided a document for KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) and there is also one on the [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) website.

docs/setup/integrating-metadata-removal.en.md

@@ -3,7 +3,7 @@ title: "Integrating Metadata Removal"
 icon: 'material/data-matrix-remove'
 ---
 
-When sharing files, it's important to remove associated metadata. Image files commonly include [EXIF](https://en.wikipedia.org/wiki/Exif) data, and sometimes photos even include GPS coordinates within its metadata.
+When sharing files, it's important to remove associated metadata. Image files commonly include [Exif](https://en.wikipedia.org/wiki/Exif) data, and sometimes photos even include GPS coordinates within its metadata.
 
 While there are plenty of metadata removal tools, they typically aren't convenient to use. The guides featured here aim to detail how to integrate metadata removal tools in a simple fashion by utilizing easy-to-access system features.
 
@@ -12,7 +12,7 @@ While there are plenty of metadata removal tools, they typically aren't convenie
 
 ## macOS
 
-This guide uses the [Shortcuts](https://support.apple.com/guide/shortcuts-mac/intro-to-shortcuts-apdf22b0444c/mac) app to add an ExifTool script to the *Quick Actions* context menu within Finder. Shortcuts is developed by Apple and bundled in with macOS by default.
+This guide uses the [Shortcuts](https://support.apple.com/guide/shortcuts-mac/intro-to-shortcuts-apdf22b0444c/mac) app to add an [ExifTool](../metadata-removal-tools.md#exiftool) script to the *Quick Actions* context menu within Finder. Shortcuts is developed by Apple and bundled in with macOS by default.
 
 Shortcuts is quite intuitive to work with, so if you don't like the behavior demoed here then experiment with your own solution. For example, you could set the shortcut to take a clipboard input instead. The sky's the limit.
 
@@ -26,7 +26,7 @@ Shortcuts is quite intuitive to work with, so if you don't like the behavior dem
     /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
     ```
 
-2. [ExifTool](../metadata-removal-tools.md#exiftool): a tool for viewing and manipulating image, audio, video, and PDF metadata.
+2. ExifTool is a tool for viewing and manipulating image, audio, video, and PDF metadata.
 
     ```bash
     brew install exiftool
@@ -121,13 +121,13 @@ The lack of *good* metadata removal apps on the App Store is what makes this sol
 
 ## Windows
 
-Windows allows users to place files in a **SendTo** folder which then appear in the *Send to* context menu. This guide will show you how to add an ExifTool batch script to this menu.
+Windows allows users to place files in a **SendTo** folder which then appear in the *Send to* context menu. This guide will show you how to add an [ExifTool](../metadata-removal-tools.md#exiftool) batch script to this menu.
 
 ![Send to metadata removal shortcut](../assets/img/integrating-metadata-removal/preview-windows.jpg)
 
 ### Prerequisites
 
-1. [ExifTool](../metadata-removal-tools.md#exiftool): a tool for viewing and manipulating image, audio, video, and PDF metadata. We suggest you read the [Installation instructions](https://exiftool.org/install.html#Windows) on the official website.
+1. ExifTool is a tool for viewing and manipulating image, audio, video, and PDF metadata. We suggest you read the [Installation instructions](https://exiftool.org/install.html#Windows) on the official website.
 
 !!! note
     You can check if ExifTool is present in your [PATH](https://www.computerhope.com/issues/ch000549.htm) by running `exiftool -ver` in Command Prompt. You should see a version number.
@@ -160,4 +160,4 @@ Windows allows users to place files in a **SendTo** folder which then appear in
 
 ### Using the shortcut
 
-1. Right click a supported file and choose **ExifTool.bat** within the *Send to* context menu
+1. Right click a supported file and choose **ExifTool.bat** within the *Send to* context menu.

docs/technology/dns.en.md

@@ -52,7 +52,7 @@ Below, we discuss and provide a tutorial to prove what an outside observer may s
         tshark -r /tmp/dns.pcap
         ```
 
-If you run the Wireguard command above, the top pane shows the "[frames](https://en.wikipedia.org/wiki/Ethernet_frame)", and the bottom pane shows all the data about the selected frame. Enterprise filtering and monitoring solutions (such as those purchased by governments) can do the process automatically, without human interaction, and can aggregate those frames to produce statistical data useful to the network observer.
+If you run the Wireshark command above, the top pane shows the "[frames](https://en.wikipedia.org/wiki/Ethernet_frame)", and the bottom pane shows all the data about the selected frame. Enterprise filtering and monitoring solutions (such as those purchased by governments) can do the process automatically, without human interaction, and can aggregate those frames to produce statistical data useful to the network observer.
 
 | No. | Time     | Source    | Destination | Protocol | Length | Info                                                                   |
 |-----|----------|-----------|-------------|----------|--------|------------------------------------------------------------------------|
@@ -117,7 +117,7 @@ When we do a DNS lookup, it's generally because we want to access a resource. Be
 
 The simplest way to determine browsing activity might be to look at the IP addresses your devices are accessing. For example, if the observer knows that `privacyguides.org` is at `198.98.54.105`, and your device is requesting data from `198.98.54.105`, there is a good chance you're visiting Privacy Guides.
 
-This method is only useful when the IP address belongs to a server that only hosts few websites. It's also not very useful if the site is hosted on a shared platform, (e.g. Github Pages, Cloudflare Pages, Netlify, Wordpress, Blogger, etc). It also isn't very useful if the server is hosted behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy), which is very common on the modern Internet.
+This method is only useful when the IP address belongs to a server that only hosts few websites. It's also not very useful if the site is hosted on a shared platform, (e.g. Github Pages, Cloudflare Pages, Netlify, WordPress, Blogger, etc). It also isn't very useful if the server is hosted behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy), which is very common on the modern Internet.
 
 ### Server Name Indication (SNI)
 

docs/threat-modeling.en.md

@@ -1,5 +1,5 @@
 ---
-title: "What are threat models?"
+title: "Threat Modeling"
 icon: 'material/target-account'
 ---
 

docs/tools.en.md

@@ -111,7 +111,10 @@ For your convenience, everything we recommend is listed below with a link to the
 
 ### DNS
 
-We [recommend](dns.md#why-should-i-use-encrypted-dns) a number of encrypted DNS servers based on a variety of criteria. Some no-logging choices include [MullvadDNS](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) and [Quad9](https://quad9.net/), but we recommend you read our full page on DNS before choosing a provider. In many cases using an alternative DNS provider is not recommended. [Learn more :material-arrow-right:](dns.md)
+We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers based on a variety of criteria, such as [MullvadDNS](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) and [Quad9](https://quad9.net/) amongst others. We recommend for you to read our pages on DNS before choosing a provider. In many cases, using an alternative DNS provider is not recommended.
+<br>
+<br>
+[Learn more :material-arrow-right:](dns.md)
 
 ### Email
 
@@ -191,7 +194,7 @@ We [recommend](dns.md#why-should-i-use-encrypted-dns) a number of encrypted DNS
 - ![Proton Calendar logo](assets/img/calendar-contacts/proton-calendar.svg){ .twemoji } [Proton Calendar (SaaS)](https://calendar.protonmail.com/)
 - ![EteSync logo](assets/img/calendar-contacts/etesync.svg){ .twemoji } [EteSync](https://www.etesync.com/)
 - ![Tutanota logo](assets/img/calendar-contacts/nextcloud.svg){ .twemoji } [Nextcloud](https://nextcloud.com/)
-- ![DecSync CC logo](assets/img/calendar-contacts/decsync.svg){ .twemoji } [DecSync](https://github.com/39aldo39/DecSync)
+- ![DecSync CC logo](assets/img/calendar-contacts/decsync.svg){ .twemoji } [DecSync CC](https://github.com/39aldo39/DecSync)
 
 </div>
 

docs/video-streaming.en.md

@@ -10,7 +10,7 @@ The primary threat when using a video streaming platform is that your streaming
 
 !!! Warning
 
-    When using Freetube, your IP address is still known to YouTube, [Invidious](https://instances.invidious.io) and the SponsorBlock instances that you use. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](threat-modeling.md) requires hiding your IP address.
+    When using FreeTube, your IP address is still known to YouTube, [Invidious](https://instances.invidious.io) and the SponsorBlock instances that you use. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](threat-modeling.md) requires hiding your IP address.
 
 !!! recommendation
 

mkdocs.yml

@@ -96,19 +96,24 @@ markdown_extensions:
           - theme/.icons
   - tables
   - footnotes
+  - toc:
+      permalink: true
 
 extra_javascript:
   - javascripts/mathjax.js
 
 nav:
   - Home: 'index.md'
-  - 'Privacy Introduction':
-    - 'threat-modeling.md'
-    - 'Technology Basics':
+  - 'Knowledge Base':
+    - 'The Basics':
+      - 'threat-modeling.md'
       - 'technology/dns.md'
-    - 'Security Basics':
       - 'security/multi-factor-authentication.md'
-    - 'Setup Guides':
+    - 'Mobile Devices':
+      - 'android/overview.md'
+      - 'android/security.md'
+      - 'android/grapheneos-vs-calyxos.md'
+    - 'Advanced':
       - 'setup/integrating-metadata-removal.md'
   - 'Recommendations':
     - 'tools.md'