Improvements to the browser page (#1255)

Signed-off-by: Daniel Gray <dng@disroot.org>

.github/workflows/crowdin.yml

@@ -14,7 +14,7 @@ jobs:
       uses: actions/checkout@v3
 
     - name: crowdin action
-      uses: crowdin/github-action@1.4.8
+      uses: crowdin/github-action@1.4.9
       with:
         upload_sources: true
         upload_sources_args: '--auto-update --delete-obsolete'

docs/android.en.md

@@ -64,7 +64,7 @@ DivestOS also includes kernel patches from GrapheneOS and enables all available
 
 DivestOS implements some system hardening patches originally developed for GrapheneOS. DivestOS 16.0, 17.1, and 18.1 implements GrapheneOS's [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) permission toggle, [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](android/grapheneos-vs-calyxos.md#additional-hardening), [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), and partial [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) hardening patchsets. 17.1 and 18.1 feature GrapheneOS's per-network full [MAC randomization](https://en.wikipedia.org/wiki/MAC_address#Randomization) option, and [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, and automatic reboot/Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features).
 
-!!! attention
+!!! warning
 
     DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) and quality control varies across the devices it supports. We still recommend GrapheneOS or CalyxOS depending on your device's compatibility. For other devices, DivestOS is a good alternative.
 
@@ -151,8 +151,8 @@ Fairphone markets their devices as receiving 6 years of support. However, the So
 
         - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android)
         - [:pg-f-droid: F-Droid](https://guardianproject.info/fdroid)
-        - [:fontawesome-brands-github: GitHub](https://github.com/guardianproject/orbot)
-        - [:fontawesome-brands-gitlab: GitLab](https://gitlab.com/guardianproject/orbot)
+        - [:fontawesome-brands-github: Source](https://github.com/guardianproject/orbot)
+        - [:fontawesome-brands-gitlab: Source](https://gitlab.com/guardianproject/orbot)
 
 Orbot can proxy individual apps if they support SOCKS or HTTP proxying. It can also proxy all your network connections using [VpnService](https://developer.android.com/reference/android/net/VpnService) and can be used with the VPN killswitch in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**.
 
@@ -180,9 +180,9 @@ For resistance against traffic analysis attacks, consider enabling *Isolate Dest
 
         - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter)
         - [:pg-f-droid: F-Droid](https://f-droid.org/en/packages/net.typeblog.shelter)
-        - [:fontawesome-brands-github: GitHub](https://github.com/PeterCxy/Shelter)
+        - [:fontawesome-brands-github: Source](https://github.com/PeterCxy/Shelter)
 
-!!! attention
+!!! warning
 
     As CalyxOS includes a device controller, we recommend using their built in work profile instead.
 
@@ -204,7 +204,7 @@ For resistance against traffic analysis attacks, consider enabling *Isolate Dest
     ??? downloads
 
         - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor)
-        - [:fontawesome-brands-github: GitHub](https://github.com/GrapheneOS/Auditor)
+        - [:fontawesome-brands-github: Source](https://github.com/GrapheneOS/Auditor)
 
 Auditor performs attestation and intrusion detection by:
 
@@ -216,7 +216,7 @@ Auditor performs attestation and intrusion detection by:
 
 No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring.
 
-If your [threat model](threat-modeling.md) requires privacy you could consider using Orbot or a VPN to hide your IP address from the attestation service.
+If your [threat model](basics/threat-modeling.md) requires privacy you could consider using Orbot or a VPN to hide your IP address from the attestation service.
 To make sure that your hardware and operating system is genuine, [perform local attestation](https://grapheneos.org/install/web#verifying-installation) immediately after the device has been installed and prior to any internet connection.
 
 ### Secure Camera
@@ -233,7 +233,7 @@ To make sure that your hardware and operating system is genuine, [perform local
     ??? downloads
 
         - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play)
-        - [:fontawesome-brands-github: GitHub](https://github.com/GrapheneOS/Camera/releases)
+        - [:fontawesome-brands-github: Source](https://github.com/GrapheneOS/Camera/releases)
 
 Main privacy features include:
 
@@ -263,7 +263,7 @@ Main privacy features include:
     ??? downloads
 
         - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play)
-        - [:fontawesome-brands-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases)
+        - [:fontawesome-brands-github: Source](https://github.com/GrapheneOS/PdfViewer/releases)
 
 ### PrivacyBlur
 
@@ -279,7 +279,7 @@ Main privacy features include:
 
         - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur)
         - [:pg-f-droid: F-Droid](https://f-droid.org/en/packages/de.mathema.privacyblur/)
-        - [:fontawesome-brands-github: GitHub](https://github.com/MATHEMA-GmbH/privacyblur)
+        - [:fontawesome-brands-github: Source](https://github.com/MATHEMA-GmbH/privacyblur)
 
 !!! warning
 
@@ -299,8 +299,6 @@ The Google Play Store requires a Google account to login which is not great for
 
 F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third party repositories and not be confined to Google's walled garden has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications, and is dedicated to free and open source software. However, there are problems with the official F-Droid client, their quality control, and how they build, sign and deliver packages, outlined in this [post](https://wonderfall.dev/fdroid-issues/).
 
-*[walled garden]: A walled garden (or closed platform) is one in which the service provider has control over applications, content, and/or media, and restricts convenient access to non-approved applicants or content.
-
 Sometimes the official F-Droid repository may fall behind on updates. F-Droid maintainers reuse package IDs while signing apps with their own keys, which is not ideal as it does give the F-Droid team ultimate trust. The Google Play version of some apps may contain unwanted telemetry or lack features that are available in the F-Droid version.
 
 We have these general tips:
@@ -309,7 +307,7 @@ We have these general tips:
 - Check if an app is available on the [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) repository. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers' own repositories. We recommend that you download the GitHub builds and install them manually first, then use IzzyOnDroid for any subsequent updates. This will ensure that the signature of the applications you get from IzzyOnDroid matches that of the developer and the packages have not been tampered with.
 - Check if there are any differences between the F-Droid version and the Google Play Store version. Some applications like [IVPN](https://www.ivpn.net/) do not include certain features (eg [AntiTracker](https://www.ivpn.net/knowledgebase/general/antitracker-faq/)) in their Google Play Store build out of fear of censorship by Google.
 
-Evaluate whether the additional features in the F-Droid build are worth the slower updates. Also think about whether faster updates from the Google Play Store are worth the potential privacy issues in your [threat model](threat-modeling.md).
+Evaluate whether the additional features in the F-Droid build are worth the slower updates. Also think about whether faster updates from the Google Play Store are worth the potential privacy issues in your [threat model](basics/threat-modeling.md).
 
 #### Neo Store
 
@@ -328,6 +326,6 @@ To mitigate these problems, we recommend [Neo Store](https://github.com/NeoAppli
     ??? downloads
 
         - [:fontawesome-brands-android: APK Download](https://android.izzysoft.de/repo/apk/com.looker.droidify)
-        - [:fontawesome-brands-github: GitHub](https://github.com/NeoApplications/Neo-Store)
+        - [:fontawesome-brands-github: Source](https://github.com/NeoApplications/Neo-Store)
 
 --8<-- "includes/abbreviations.en.md"

docs/android/overview.en.md

@@ -82,11 +82,11 @@ If you are using a device with Google services, either your stock operating syst
 
 ### Advanced Protection Program
 
-If you have a Google account we suggest enrolling in the [Advanced Protection Program](https://landing.google.com/advancedprotection/). It is available at no cost to anyone with two or more hardware security keys with [FIDO](../security/multi-factor-authentication.md#fido-fast-identity-online) support.
+If you have a Google account we suggest enrolling in the [Advanced Protection Program](https://landing.google.com/advancedprotection/). It is available at no cost to anyone with two or more hardware security keys with [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) support.
 
 The Advanced Protection Program provides enhanced threat monitoring and enables:
 
-- Stricter two factor authentication; e.g. that [FIDO](/security/multi-factor-authentication/#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](/security/multi-factor-authentication/#sms-or-email-mfa), [TOTP](/security/multi-factor-authentication.md#time-based-one-time-password-totp), and [OAuth](https://en.wikipedia.org/wiki/OAuth)
+- Stricter two factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp), and [OAuth](https://en.wikipedia.org/wiki/OAuth)
 - Only Google and verified third party apps can access account data
 - Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts
 - Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome

docs/assets/img/browsers/brave.svg

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg version="1.1" viewBox="0 0 128 128" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><defs><linearGradient id="a" x2="235.8" y1="119.6" y2="119.6" gradientTransform="scale(.9229 1.084)" gradientUnits="userSpaceOnUse"><stop stop-color="#F50" offset="0"/><stop stop-color="#F50" offset=".4099"/><stop stop-color="#FF2000" offset=".582"/><stop stop-color="#FF2000" offset="1"/></linearGradient><linearGradient id="c" x1="11.3" x2="100.5" y1="46.23" y2="46.23" gradientTransform="scale(1.981 .5049)" gradientUnits="userSpaceOnUse"><stop stop-color="#FF452A" offset="0"/><stop stop-color="#FF2000" offset="1"/></linearGradient><path id="b" d="m170.3 25.34-22.3-25.34h-78.34l-22.3 25.34s-19.58-5.447-28.83 3.813c0 0 26.11-2.36 35.09 12.26 0 0 24.21 4.63 27.47 4.63s10.34-2.724 16.86-4.902c6.528-2.179 10.88-2.195 10.88-2.195s4.352 0.016 10.88 2.195c6.528 2.178 13.6 4.902 16.86 4.902s27.47-4.63 27.47-4.63c8.976-14.62 35.09-12.26 35.09-12.26-9.248-9.26-28.83-3.813-28.83-3.813"/></defs><g transform="matrix(.50101 0 0 .50101 9.4745 .0060121)" fill-rule="evenodd"><path d="m210 61.28 5.984-14.71s-7.616-8.17-16.86-17.43c-9.248-9.259-28.83-3.812-28.83-3.812l-22.3-25.34h-78.34l-22.3 25.34s-19.58-5.447-28.83 3.813-16.86 17.43-16.86 17.43l5.984 14.71-7.616 21.79s22.4 84.95 25.02 95.32c5.168 20.42 8.704 28.32 23.39 38.67s41.34 28.32 45.7 31.05c4.352 2.724 9.792 7.363 14.69 7.363s10.34-4.64 14.69-7.363 31.01-20.7 45.7-31.05 18.22-18.25 23.39-38.67c2.624-10.37 25.02-95.32 25.02-95.32z" fill="url(#a)"/><path d="m164 41.4s28.69 34.72 28.69 42.14c0 7.421-3.608 9.38-7.237 13.24l-21.51 22.87c-2.036 2.164-6.273 5.445-3.78 11.35 2.492 5.905 6.168 13.42 2.08 21.04-4.089 7.62-11.09 12.71-15.58 11.87-4.489-0.842-15.03-6.357-18.9-8.876-3.876-2.52-16.16-12.66-16.16-16.54s12.7-10.85 15.04-12.43c2.347-1.583 13.05-7.712 13.27-10.12 0.219-2.406 0.136-3.111-3.022-9.055s-8.845-13.88-7.898-19.15c0.946-5.277 10.12-8.02 16.66-10.5 6.545-2.474 19.15-7.148 20.72-7.875 1.575-0.727 1.168-1.42-3.601-1.872-4.768-0.452-18.3-2.251-24.4-0.548-6.1 1.702-16.52 4.293-17.37 5.667-0.844 1.373-1.589 1.42-0.722 6.158 0.867 4.739 5.33 27.48 5.764 31.52 0.433 4.039 1.28 6.709-3.068 7.705-4.35 0.995-11.67 2.724-14.19 2.724s-9.838-1.729-14.19-2.724c-4.35-0.996-3.503-3.666-3.07-7.705 0.434-4.039 4.898-26.78 5.765-31.52s0.122-4.785-0.722-6.158c-0.844-1.374-11.27-3.965-17.37-5.667-6.1-1.703-19.63 0.096-24.4 0.548-4.769 0.453-5.176 1.145-3.602 1.872 1.575 0.727 14.18 5.4 20.72 7.875 6.546 2.475 15.72 5.22 16.66 10.5 0.946 5.278-4.741 13.21-7.899 19.15-3.158 5.944-3.241 6.65-3.022 9.055s10.92 8.534 13.27 10.12 15.04 8.552 15.04 12.43c0 3.882-12.28 14.03-16.16 16.54-3.876 2.52-14.42 8.034-18.9 8.876-4.488 0.84-11.49-4.246-15.58-11.87-4.089-7.621-0.412-15.14 2.08-21.04 2.491-5.905-1.745-9.186-3.78-11.35l-21.51-22.87c-3.629-3.858-7.237-5.817-7.237-13.24 0-7.422 28.69-42.14 28.69-42.14s24.21 4.63 27.47 4.63 10.34-2.724 16.86-4.902c6.528-2.179 10.88-2.195 10.88-2.195s4.352 0.016 10.88 2.195c6.528 2.178 13.6 4.902 16.86 4.902s27.47-4.63 27.47-4.63zm-21.51 132.8c1.775 1.113 0.692 3.212-0.925 4.357-1.618 1.145-23.36 18-25.47 19.86-2.11 1.864-5.21 4.94-7.318 4.94s-5.209-3.076-7.318-4.94c-2.11-1.863-23.85-18.72-25.47-19.86s-2.7-3.244-0.925-4.357c1.777-1.113 7.333-3.922 15-7.894 7.665-3.972 17.22-7.349 18.71-7.349s11.04 3.377 18.71 7.349 13.22 6.781 15 7.894z" fill="#fff"/><use width="100%" height="100%" fill="url(#c)" xlink:href="#b"/></g></svg>

docs/assets/img/email/mini/disroot-dark.svg

@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 384 298"><path fill="#fff" fill-rule="nonzero" d="M70.761.97C76.184-.66 82.722.258 88.337.258c15.055 0 30.042 2.067 45.011 4.17l3.326.467 1.663.233c45.993 6.411 93.211 18.792 134.996 39.39 17.902 8.824 34.021 20.622 51.004 30.995 14.752 9.01 27.07 19.226 39.039 31.746 6.143 6.427 12.996 13.692 16.496 21.999 4.552 10.803 4.835 25.505 3.026 37-3.916 24.881-23.26 44.954-42.391 59.656-43.041 33.076-99.083 50.141-151.17 62.905-16.984 4.162-35.457 8.411-53 8.439-.975.002-1.973.02-2.979.031l-.672.007-.673.003-.675-.002c-5.62-.04-11.225-.76-14.443-6.133-1.261-2.106-1.85-4.545-2.427-6.906-6.126-25.092 31.664-30.723 30.826-56-.485-14.613-10.464-29.563-15.532-43-9.602-25.457-19.686-51.149-30.76-76-1.418-3.18-2.62-6.472-3.8-9.777l-1.063-2.975c-1.896-5.287-3.886-10.53-6.761-15.323-5.132-8.555-12.664-10.856-22.041-12.196-12.935-1.848-27.059-1.232-40 .22-1.936.218-4.408.635-7.04.947l-.61.07c-7.352.815-15.714.647-17.122-6.97-2.66-14.398 4.373-25.648 14.772-34.901C31.677 13.814 50.274 7.132 70.761.97Zm128.576 103.287c5.051 17.461 11.049 34.665 17.135 51.81l2.15 6.05a3170.29 3170.29 0 0 1 6.41 18.14c4.16 11.926 11.046 23.215 12.131 36 .281 3.305-.307 6.559-.93 9.805l-.248 1.299c-.246 1.298-.48 2.596-.648 3.896 19.663-4.844 47.291-6.374 60.443-24.001 8.448-11.322 9.163-26.261 1.449-37.999-2.234-3.4-5.12-6.116-8.052-8.83l-1.036-.958c-.69-.64-1.38-1.285-2.059-1.943-18.683-18.082-40.608-35.514-64.741-45.669-7.315-3.078-14.033-6.427-22.004-7.6Z"/></svg>

docs/assets/img/email/mini/disroot.svg

@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 384 298"><path fill="#50162D" fill-rule="nonzero" d="M70.761.97C76.184-.66 82.722.258 88.337.258c15.055 0 30.042 2.067 45.011 4.17l3.326.467 1.663.233c45.993 6.411 93.211 18.792 134.996 39.39 17.902 8.824 34.021 20.622 51.004 30.995 14.752 9.01 27.07 19.226 39.039 31.746 6.143 6.427 12.996 13.692 16.496 21.999 4.552 10.803 4.835 25.505 3.026 37-3.916 24.881-23.26 44.954-42.391 59.656-43.041 33.076-99.083 50.141-151.17 62.905-16.984 4.162-35.457 8.411-53 8.439-.975.002-1.973.02-2.979.031l-.672.007-.673.003-.675-.002c-5.62-.04-11.225-.76-14.443-6.133-1.261-2.106-1.85-4.545-2.427-6.906-6.126-25.092 31.664-30.723 30.826-56-.485-14.613-10.464-29.563-15.532-43-9.602-25.457-19.686-51.149-30.76-76-1.418-3.18-2.62-6.472-3.8-9.777l-1.063-2.975c-1.896-5.287-3.886-10.53-6.761-15.323-5.132-8.555-12.664-10.856-22.041-12.196-12.935-1.848-27.059-1.232-40 .22-1.936.218-4.408.635-7.04.947l-.61.07c-7.352.815-15.714.647-17.122-6.97-2.66-14.398 4.373-25.648 14.772-34.901C31.677 13.814 50.274 7.132 70.761.97Zm128.576 103.287c5.051 17.461 11.049 34.665 17.135 51.81l2.15 6.05a3170.29 3170.29 0 0 1 6.41 18.14c4.16 11.926 11.046 23.215 12.131 36 .281 3.305-.307 6.559-.93 9.805l-.248 1.299c-.246 1.298-.48 2.596-.648 3.896 19.663-4.844 47.291-6.374 60.443-24.001 8.448-11.322 9.163-26.261 1.449-37.999-2.234-3.4-5.12-6.116-8.052-8.83l-1.036-.958c-.69-.64-1.38-1.285-2.059-1.943-18.683-18.082-40.608-35.514-64.741-45.669-7.315-3.078-14.033-6.427-22.004-7.6Z"/></svg>

docs/basics/account-deletion.en.md

@@ -0,0 +1,63 @@
+---
+title: "Account Deletion"
+icon: 'material/account-remove'
+---
+Over time, it can be easy to accumulate a number of online accounts, many of which you may no longer use. Deleting these unused accounts is an important step in reclaiming your privacy, as dormant accounts are vulnerable to data breaches. A data breach is when a service's security is compromised and protected information is viewed, transmitted, or stolen by unauthorized actors. Data breaches are unfortunately all [too common](https://haveibeenpwned.com/PwnedWebsites) these days, and so practicing good digital hygiene is the best way to minimize the impact they have on your life. The goal of this guide then is to help navigate you through the irksome process of account deletion, often made difficult by [deceptive design](https://www.deceptive.design/), for the betterment of your online presence.
+
+## Finding Old Accounts
+
+### Password Manager
+
+If you have a password manager that you've used for your entire digital life, this part will be very easy. Oftentimes, they include built-in functionality for detecting if your credentials were exposed in a data breach—such as Bitwarden's [Data Breach Report](https://bitwarden.com/blog/have-you-been-pwned/).
+
+<figure markdown>
+  ![Bitwarden's Data Breach Report feature](../assets/img/account-deletion/exposed_passwords.png)
+</figure>
+
+Even if you haven't explicitly used a password manager before, there's a chance you've used the one in your browser or your phone without even realizing it. For example: [Firefox Password Manager](https://support.mozilla.org/kb/password-manager-remember-delete-edit-logins), [Google Password Manager](https://passwords.google.com/intro)
+and [Edge Password Manager](https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336).
+
+Desktop platforms also often have a password manager which may help you recover passwords you've forgotten about:
+
+- Windows [Credential Manager](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0)
+- macOS [Passwords](https://support.apple.com/en-us/HT211145)
+- iOS [Passwords](https://support.apple.com/en-us/HT211146)
+- Linux, Gnome Keyring, which can be accessed through [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.en), or [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager)
+
+### Email
+
+If you didn't use a password manager in the past or you think you have accounts that were never added to your password manager, another option is to search the email account(s) that you believe you signed up on. On your email client, search for keywords such as "verify" or "welcome." Almost every time you make an online account, the service will send a verification link or an introductory message to your email. This can be a good way to find old, forgotten accounts.
+
+## Deleting Old Accounts
+
+### Log In
+
+In order to delete your old accounts, you'll need to first make sure you can log in to them. Again, if the account was in your password manager, this step is easy. If not, you can try to guess your password. Failing that, there are typically options to regain access to your account, commonly available through a "forgot password" link on the login page. It may also be possible that accounts you've abandoned have already been deleted—sometimes services prune all old accounts.
+
+When attempting to regain access, if the site returns an error message saying that email is not associated with an account, or you never receive a reset link after multiple attempts, then you do not have an account under that email address and should try a different one. If you can't figure out which email address you used, or you no longer have access to that email, you can try contacting the service's customer support. Unfortunately there is no guarantee that you will be able to reclaim access your account.
+
+### GDPR (EEA residents only)
+
+Residents of the EEA have additional rights regarding data erasure specified in [Article 17](https://www.gdpr.org/regulation/article-17.html) of the GDPR. If it's applicable to you, read the privacy policy for any given service to find information on how to exercise your right to erasure. Reading the privacy policy can prove important, as some services have a "Delete Account" option that only disables your account and for real deletion you have to take additional action. Sometimes actual deletion may involve filling out surveys, emailing the data protection officer of the service, or even proving your residence in the EEA. If you plan to go this way, do **not** overwrite account information—your identity as an EEA resident may be required. Note that the location of the service does not matter; GDPR applies to anyone serving European users. If the service does not respect your right to erasure, you can contact your national [Data Protection Authority](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) and you may be entitled to monetary compensation.
+
+### Overwriting Account information
+
+In some situations where you plan to abandon an account, it may make sense to overwrite the account information with fake data. Once you've made sure you can log in, change all the information in your account to falsified information. The reason for this is that many sites will retain information you previously had even after account deletion. The hope is that they will overwrite the previous information with the newest data you entered. However, there is no guarantee that there won't be backups with the prior information.
+
+For the account email, either create a new alternate email account via your provider of choice or create an alias using an [email aliasing service](/email/#email-aliasing-services). You can then delete your alternate email address once you are done. We recommend against using temporary email providers, as oftentimes it is possible to reactivate temporary emails.
+
+### Delete
+
+You can check [JustDeleteMe](https://justdeleteme.xyz) for instructions on deleting the account for a specific service. Some sites will graciously have a "Delete Account" option, while others will go as far as to force you to speak with a support agent. The deletion process can vary from site to site, with account deletion being impossible on some.
+
+For services that don't allow account deletion, the best thing to do is falsify all your information as previously mentioned and strengthen account security. To do so, enable [MFA](security/multi-factor-authentication) and any extra security features offered. As well, change the password to a randomly-generated one that is the maximum allowed size (a [password manager](/passwords/#local-password-managers) can be useful for this).
+
+If you're satisfied that all information you care about is removed, you can safely forget about this account. If not, it might be a good idea to keep the credentials stored with your other passwords and occasionally re-login to reset the password.
+
+Even when you are able to delete an account, there is no guarantee that all your information will be removed. In fact, some companies are required by law to keep certain information, particularly when related to financial transactions. It's mostly out of your control what happens to your data when it comes to websites and cloud services.
+
+## Avoid New Accounts
+
+As the old saying goes, "an ounce of prevention is worth a pound of cure." Whenever you feel tempted to sign up for a new account, ask yourself "Do I really need this? Can I accomplish what I need to without an account?" It can often be much harder to delete an account than to create one. And even after deleting or changing the info on your account, there might be a cached version from a third party—like the [Internet Archive](https://archive.org/). Avoid the temptation when you're able to—your future self will thank you!
+
+--8<-- "includes/abbreviations.en.md"

docs/basics/dns.en.md

@@ -25,7 +25,7 @@ Below, we discuss and provide a tutorial to prove what an outside observer may s
 
 2. We can then use [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) (Linux, MacOS etc) or [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) (Windows) to send the DNS lookup to both servers. Software such as web browsers do these lookups automatically, unless they are configured to use encrypted DNS.
 
-    === "Linux, MacOS"
+    === "Linux, macOS"
 
         ```
         dig +noall +answer privacyguides.org @1.1.1.1
@@ -109,7 +109,7 @@ We can see the [connection establishment](https://en.wikipedia.org/wiki/Transmis
 
 ## Why **shouldn't** I use encrypted DNS?
 
-In locations where there is internet filtering (or censorship), visiting forbidden resources may have its own consequences which you should consider in your [threat model](../threat-modeling.md). We do **not** suggest the use of encrypted DNS for this purpose. Use [Tor](https://torproject.org) or a [VPN](vpn) instead. If you're using a VPN, you should use your VPN's DNS servers. When using a VPN, you are already trusting them with all your network activity.
+In locations where there is internet filtering (or censorship), visiting forbidden resources may have its own consequences which you should consider in your [threat model](threat-modeling.md). We do **not** suggest the use of encrypted DNS for this purpose. Use [Tor](https://torproject.org) or a [VPN](../vpn.md) instead. If you're using a VPN, you should use your VPN's DNS servers. When using a VPN, you are already trusting them with all your network activity.
 
 When we do a DNS lookup, it's generally because we want to access a resource. Below, we will discuss some of the methods that may disclose your browsing activities even when using encrypted DNS:
 
@@ -279,9 +279,17 @@ Encrypted DNS with a 3rd party should only be used to get around redirects and b
 
 [List of recommended DNS servers](../dns.md){ .md-button }
 
-## What is DNSSEC and when is it used?
+## What is DNSSEC?
 
-[Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) (DNSSEC) is used to provide authenticity to the records being fetched from upstream DNS servers. It doesn't provide confidentiality, for that we use one of the [encrypted DNS](#what-is-encrypted-dns) protocols discussed above.
+[Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) (DNSSEC) is a feature of DNS that authenticates responses to domain name lookups. It does not provide privacy protections for those lookups, but rather prevents attackers from manipulating or poisoning the responses to DNS requests.
+
+In other words, DNSSEC digitally signs data to help ensure its validity. In order to ensure a secure lookup, the signing occurs at every level in the DNS lookup process. As a result, all answers from DNS can be trusted.
+
+The DNSSEC signing process is similar to someone signing a legal document with a pen; that person signs with a unique signature that no one else can create, and a court expert can look at that signature and verify that the document was signed by that person. These digital signatures ensure that data has not been tampered with.
+
+DNSSEC implements a hierarchical digital signing policy across all layers of DNS. For example, in the case of a `privacyguides.org` lookup, a root DNS server would sign a key for the `.org` nameserver, and the `.org` nameserver would then sign a key for `privacyguides.org`’s authoritative nameserver.
+
+<small>Adapted from [DNS Security Extensions (DNSSEC) overview](https://cloud.google.com/dns/docs/dnssec) by Google and [DNSSEC: An Introduction](https://blog.cloudflare.com/dnssec-an-introduction/) by Cloudflare, both licensed under [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/).</small>
 
 ## What is QNAME minimization?
 

docs/basics/multi-factor-authentication.en.md

@@ -2,7 +2,7 @@
 title: "Multi-factor Authentication"
 icon: 'material/two-factor-authentication'
 ---
-**Multi-factor authentication** is a security mechanism that requires additional steps beyond entering your username (or email) and password. The most common method is time limited codes you might receive from an SMS or app.
+**Multi-factor authentication** is a security mechanism that requires additional steps beyond entering your username (or email) and password. The most common method is time limited codes you might receive from SMS or an app.
 
 Normally, if a hacker (or adversary) is able to figure out your password then they’d gain access to the account that password belongs to. An account with MFA forces the hacker to have both the password (something you *know*) and a device that you own (something you *have*), like your phone.
 
@@ -24,7 +24,7 @@ The security of push notification MFA is dependent on both the quality of the ap
 
 ### Time-based One-time Password (TOTP)
 
-TOTP is one of the most commons form of MFA available. When you set up TOTP you are generally required to scan a [QR Code](https://en.wikipedia.org/wiki/QR_code) which establishes a "[shared secret](https://en.wikipedia.org/wiki/Shared_secret)" with the service that you intend to use. The shared secret is secured inside of the authenticator app's data, and is sometimes protected by a password.
+TOTP is one of the most common forms of MFA available. When you set up TOTP you are generally required to scan a [QR Code](https://en.wikipedia.org/wiki/QR_code) which establishes a "[shared secret](https://en.wikipedia.org/wiki/Shared_secret)" with the service that you intend to use. The shared secret is secured inside of the authenticator app's data, and is sometimes protected by a password.
 
 The time-limited code is then derived from the shared secret and the current time. As the code is only valid for a short time, without access to the shared secret an adversary cannot generate new codes.
 
@@ -76,13 +76,9 @@ When you create an account the public key is sent to the service, then when you
 
 This presentation discusses the history of password authentication, the pitfalls (such as password reuse), and discussion of FIDO2 and [WebAuthn](https://webauthn.guide) standards.
 
-<iframe width="100%" style="height:50vh"
-  src="https://www.youtube-nocookie.com/embed/aMo4ZlWznao"
-  title="How FIDO2 and WebAuthn Stop Account Takeovers"
-  frameborder="0"
-  allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture"
-  allowfullscreen>
-</iframe>
+<div class="yt-embed">
+  <iframe width="560" height="315" src="https://www.youtube-nocookie.com/embed/aMo4ZlWznao" title="How FIDO2 and WebAuthn Stop Account Takeovers" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
+</div>
 
 FIDO2 and WebAuthn have superior security and privacy properties when compared to any MFA methods.
 

docs/browsers.en.md

@@ -1,11 +1,8 @@
 ---
 title: "Web Browsers"
 icon: octicons/browser-16
-tags:
-  - HTML5
-  - JavaScript
 ---
-These are our current web browser recommendations and settings. We recommend keeping extensions to a minimum: they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation.
+These are our currently recommended web browsers and configurations. In general, we recommend keeping extensions to a minimum: they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation.
 
 ## General Recommendations
 
@@ -15,7 +12,7 @@ These are our current web browser recommendations and settings. We recommend kee
 
     ![Tor Browser logo](assets/img/browsers/tor.svg){ align=right }
 
-    **Tor Browser** is the choice if you need anonymity. This browser provides you with access to the Tor Bridges and [Tor Network](https://en.wikipedia.org/wiki/Tor_(network)), along with extensions that can be automatically configured to fit its three security levels - *Standard*, *Safer* and *Safest*. We recommend that you do not change any of Tor Browser's default configurations outside of the standard security levels.
+    **Tor Browser** is the choice if you need anonymity. This browser provides you with access to the Tor Bridges and [Tor Network](https://en.wikipedia.org/wiki/Tor_(network)), along with extensions that can be automatically configured to fit its three security levels: *Standard*, *Safer* and *Safest*. We recommend that you do not change any of Tor Browser's default configurations outside of the standard security levels.
 
     [Homepage](https://www.torproject.org){ .md-button .md-button--primary } [:pg-tor:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .md-button } [Privacy Policy](https://support.torproject.org/tbb/tbb-3/){ .md-button }
 
@@ -30,9 +27,9 @@ These are our current web browser recommendations and settings. We recommend kee
         - [:fontawesome-brands-git: Source](https://trac.torproject.org/projects/tor)
 
 !!! warning
-    You should **never** install any additional extensions on Tor Browser, including the ones we suggest for Firefox. Browser extensions make you stand out from other people on the Tor network, and make your browser easier to [fingerprint](https://support.torproject.org/glossary/browser-fingerprinting).
+    You should **never** install any additional extensions on Tor Browser, including the ones we suggest for Firefox. Browser extensions make you stand out from others on the Tor network, thus making your browser easier to [fingerprint](https://support.torproject.org/glossary/browser-fingerprinting).
 
-## Desktop Browser Recommendations
+## Desktop Recommendations
 
 ### Firefox
 
@@ -57,51 +54,161 @@ These are our current web browser recommendations and settings. We recommend kee
 
 #### Recommended Configuration
 
+Tor Browser is the only way to truly browse the internet anonymously. When you use Firefox we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than [Tor Browser](#tor-browser) will be traceable by *somebody* in some regard or another.
+
 These options can be found in :material-menu: → **Settings** → **Privacy & Security**.
 
-##### Enhanced Tracking Protection (ETP)
+##### Enhanced Tracking Protection
 
-- Select **Strict**
+- [x] Select **Strict** Enhanced Tracking Protection
+
+This protects you by blocking social media trackers, fingerprinting scripts (note that this does not protect you from *all* fingerprinting), cryptominers, cross-site tracking cookies, and some other tracking content. ETP protects against many common threats, but it does not block all tracking avenues because it is designed to have minimal to no impact on site usability.
 
 ##### Sanitize on Close
 
 If you want to stay logged in to particular sites, you can allow exceptions in **Cookies and Site Data** → **Manage Exceptions...**
 
-- Select **Delete cookies and site data when Firefox is closed**
+- [x] Check **Delete cookies and site data when Firefox is closed**
 
-##### Disable Search Suggestions
+This protects you from persistent cookies, but does not protect you against cookies acquired during any one browsing session. When this is enabled, it becomes possible to easily cleanse your browser cookies by simply restarting Firefox. You can set exceptions on a per-site basis, if you wish to stay logged in to a particular site you visit often.
 
-- Clear **Suggestions from the web**
-- Clear **Suggestions from sponsors**
-- Clear **Improve the Firefox Suggest experience**
+##### Search Suggestions
+
+- [ ] Disable **Suggestions from the web**
+- [ ] Disable **Suggestions from sponsors**
+- [ ] Disable **Improve the Firefox Suggest experience**
 
 Search suggestion features may not be available in your region.
 
-##### Disable Telemetry
+Search suggestions send everything you type in the address bar to the default search engine, regardless of whether you submit an actual search. Disabling search suggestions allows you to more precisely control what data you send to your search engine provider.
 
-- Clear **Allow Firefox to send technical and interaction data to Mozilla**
-- Clear **Allow Firefox to install and run studies**
-- Clear **Allow Firefox to send backlogged crash reports on your behalf**
+##### Telemetry
+
+- [ ] Uncheck **Allow Firefox to send technical and interaction data to Mozilla**
+- [ ] Uncheck **Allow Firefox to install and run studies**
+- [ ] Uncheck **Allow Firefox to send backlogged crash reports on your behalf**
+
+> Firefox sends data about your Firefox version and language; device operating system and hardware configuration; memory, basic information about crashes and errors; outcome of automated processes like updates, safebrowsing, and activation to us. When Firefox sends data to us, your IP address is temporarily collected as part of our server logs.
 
 ##### HTTPS-Only Mode
 
-- Select **Enable HTTPS-Only Mode in all windows**
+- [x] Select **Enable HTTPS-Only Mode in all windows**
+
+This prevents you from unintentionally connecting to a website in plain-text HTTP. Sites without HTTPS are uncommon nowadays, so this should have little to no impact on your day to day browsing.
 
 #### Sync
 
-The [Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) service uses E2EE.
+[Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices and protects it with E2EE.
 
 #### Extensions
 
-We generally do not recommend installing any extensions as they increase your attack surface; however, if you want content blocking, [uBlock Origin](#additional-resources) might be useful to you. The extension is also a :trophy: [Recommended Extension](https://support.mozilla.org/kb/add-on-badges#w_recommended-extensions) by Mozilla.
+We generally do not recommend installing any extensions as they increase your attack surface. However, if you want content blocking, [uBlock Origin](#additional-resources) might be useful to you. The extension is also a :trophy: [Recommended Extension](https://support.mozilla.org/kb/add-on-badges#w_recommended-extensions) by Mozilla.
 
 #### Arkenfox (advanced)
 
-The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of carefully considered options for Firefox. These options are quite strict but a few are subjective and may cause some websites to not work properly. You can easily change these settings to suit your needs. We **strongly recommend** reading through their [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox also enables [container](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users) support.
+The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of carefully considered options for Firefox. If you [decide](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) to use Arkenfox, a [few options](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) are subjectively strict and/or may cause some websites to not work properly - [which you can easily change](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) to suit your needs. We **strongly recommend** reading through their full [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox also enables [container](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users) support.
 
-## Mobile Browser Recommendations
+### Brave
 
-Firefox on Android is still less secure than Chromium-based alternatives: Mozilla's engine [GeckoView](https://mozilla.github.io/geckoview/) has yet to support [site isolation](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) or enable [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196).
+!!! recommendation
+
+    ![Brave logo](assets/img/browsers/brave.svg){ align=right }
+
+    **Brave Browser** includes a built in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default.
+
+    Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues.
+
+    We don't recommend Brave's mobile browser offerings as there are better [options](#mobile-recommendations) for mobile platforms.
+
+    [Homepage](https://brave.com/){ .md-button .md-button--primary } [Privacy Policy](https://brave.com/privacy/browser/){ .md-button }
+
+    ??? downloads annotate
+
+        - [:fontawesome-brands-windows: Windows](https://brave.com/download/)
+        - [:fontawesome-brands-apple: macOS](https://brave.com/download/)
+        - [:fontawesome-brands-linux: Linux](https://brave.com/linux/) (1)
+        - [:fontawesome-brands-github: Source](https://github.com/brave/brave-browser)
+
+    1. We advise against using the Flatpak version of Brave as it is believed to feature a weaker sandboxing system. As well, the package is **not** maintained by Brave Software, Inc.
+
+#### Recommended Configuration
+
+Tor Browser is the only way to truly browse the internet anonymously. When you use Brave we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](#tor-browser) will be traceable by *somebody* in some regard or another.
+
+These options can be found in :material-menu: → **Settings**.
+
+##### Shields
+
+Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit.
+
+Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following:
+
+<div class="annotate" markdown>
+
+- [x] Select **Aggressive** under Trackers & ads blocking
+
+    ??? warning "Use default filter lists"
+        Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use.
+
+- [x] (Optional) Select **Block Scripts** (1)
+- [x] Select **Strict, may break sites** under Block fingerprinting
+
+</div>
+
+1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension.
+
+##### Social media blocking
+
+- [ ] Uncheck all social media components
+
+##### Privacy and Security
+
+- [ ] Select **Disable Non-Proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc)
+- [ ] Uncheck **Use Google services for push messaging**
+- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)**
+- [ ] Uncheck **Automatically send daily usage ping to Brave**
+- [x] Select **Always use secure connections** in the **Security** menu
+
+    !!! important "Sanitizing on Close"
+        - [x] Select **Clear cookies and site data when you close all windows** in the *Cookies and other site data* menu
+
+        If you wish to stay logged in to a particular site you visit often, you can set exceptions on a per-site basis under the *Customized behaviors* section.
+
+##### Extensions
+
+Disable the extensions you do not use in **Extensions**
+
+<div class="annotate" markdown>
+
+- [ ] Uncheck **Hangouts**
+- [ ] Uncheck **Private window with Tor** (1)
+- [ ] Uncheck **WebTorrent**
+
+</div>
+
+1. Brave is **not** as resistant to fingerprinting as the Tor Browser and far fewer people use Brave with Tor, so you will stand out. Where [strong anonymity is required](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) use the [Tor Browser](#tor-browser).
+
+##### IPFS
+
+InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it.
+
+- [ ] Select **Disabled** on Method to resolve IPFS resources
+
+##### Additional settings
+
+Under the system *System* menu
+
+<div class="annotate" markdown>
+
+- [ ] Uncheck **Continue running apps when Brave is closed** to disable background apps (1)
+
+</div>
+
+1. This option is not present on all platforms.
+
+## Mobile Recommendations
+
+On Android, Firefox is still less secure than Chromium-based alternatives: Mozilla's engine, [GeckoView](https://mozilla.github.io/geckoview/), has yet to support [site isolation](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) or enable [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196).
 
 On iOS, any app that can browse the web is [restricted](https://developer.apple.com/app-store/review/guidelines) to using an Apple-provided [WebKit framework](https://developer.apple.com/documentation/webkit), so there is little reason to use a third-party web browser.
 
@@ -115,10 +222,11 @@ On iOS, any app that can browse the web is [restricted](https://developer.apple.
 
     [Homepage](https://www.bromite.org){ .md-button .md-button--primary } [Privacy Policy](https://www.bromite.org/privacy){ .md-button }
 
-    ??? downloads
+    ??? downloads annotate
 
-        - [:fontawesome-brands-android: Android](https://www.bromite.org/fdroid)
+        - [:pg-f-droid: F-Droid](https://www.bromite.org/fdroid) (1)
         - [:fontawesome-brands-github: Source](https://github.com/bromite/bromite)
+    1. [Neo Store](/android/#neo-store) users can enable the *Bromite repository* in :material-dots-vertical: → **Repositories**
 
 These options can be found in :material-menu: → :gear: **Settings** → **Privacy and Security**.
 
@@ -126,13 +234,15 @@ These options can be found in :material-menu: → :gear: **Settings** → **Priv
 
 ##### HTTPS-Only Mode
 
-- Select **Always use secure connections**
+- [x] Select **Always use secure connections**
+
+This prevents you from unintentionally connecting to a website in plain-text HTTP. The HTTP protocol is extremely uncommon nowadays, so this should have little to no impact on your day to day browsing.
 
 ##### Always-on Incognito Mode
 
-- Select **Open links in incognito tabs always**
-- Select **Close all open tabs on exit**
-- Select **Open external links in incognito**
+- [x] Select **Open links in incognito tabs always**
+- [x] Select **Close all open tabs on exit**
+- [x] Select **Open external links in incognito**
 
 ### Safari
 
@@ -150,37 +260,43 @@ These options can be found in :gear: **Settings** → **Safari** → **Privacy a
 
 ##### Cross-Site Tracking Prevention
 
-Enable WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp).
+- [x] Enable **Prevent Cross-Site Tracking**
 
-- Select **Prevent Cross-Site Tracking** to enable
+This enables WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp). The feature helps protect against unwanted tracking by using on-device machine learning to stop trackers. ITP protects against many common threats, but it does not block all tracking avenues because it is designed to not interfere with website usability.
 
 ##### Privacy Report
 
 Privacy Report provides a snapshot of cross-site trackers currently prevented from profiling you on the website you're visiting. It can also display a weekly report to show which trackers have been blocked over time.
 
-Privacy Report is accessible through the "**Aa**" icon in the URL bar.
+Privacy Report is accessible via the Page Settings menu (:pg-textformat-size:).
 
 ##### Privacy Preserving Ad Measurement
 
-This is WebKit's own [implementation](https://webkit.org/blog/8943/privacy-preserving-ad-click-attribution-for-the-web/) of privacy preserving ad click attribution. If you do not wish to participate, you can disable this feature.
+- [ ] Disable **Privacy Preserving Ad Measurement**
 
-- Select **Privacy Preserving Ad Measurement**
+Ad click measurement has traditionally used tracking technology that infringes on user privacy. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) is a WebKit feature and proposed web standard aimed towards allowing advertisers to measure the effectiveness of web campaigns without compromising on user privacy.
+
+The feature has little privacy concerns on its own, so while you can choose to leave it on, we consider the fact that it's automatically disabled in Private Browsing to be an indicator for disabling the feature.
 
 ##### Apple Pay
 
 If you do not use Apple Pay, you can toggle off the ability for websites to check for it.
 
-- Select **Check for Apple Pay**
+- [ ] Disable **Allow websites to check for Apple Pay and Apple Card**
 
 ##### Always-on Private Browsing
 
-Open Safari and press the tabs icon in the bottom right corner. Open Tab Groups, located in the bottom middle.
+Open Safari and tap the Tabs button, located in the bottom right. Then, expand the Tab Groups list.
 
-- Select **Private**
+- [x] Select **Private**
+
+Safari's Private Browsing mode offers additional privacy protections. Private Browsing uses a new [ephemeral](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) session for each tab, meaning tabs are isolated from one another. There are also other smaller privacy benefits with Private Browsing, such as not sending a webpage’s address to Apple when using Safari's translation feature.
+
+Do note that Private Browsing does not save cookies and website data, so it won't be possible to remain signed into sites. This may be an inconvenience.
 
 ##### iCloud Sync
 
-While synchronization of Safari History, Tab Groups, and iCloud Tabs uses E2EE, bookmarks sync does [not](https://support.apple.com/en-us/HT202303); they are only encrypted in transit and stored in an encrypted format on Apple's servers. Apple may be able to decrypt and access them.
+Synchronization of Safari History, Tab Groups, iCloud Tabs, and saved passwords are E2EE. However, bookmarks are [not](https://support.apple.com/en-us/HT202303). Apple can decrypt and access them in accordance with their [privacy policy](https://www.apple.com/legal/privacy/en-ww/).
 
 If you use iCloud, we also recommend checking to ensure Safari's default download location is set to locally on your device. This option can be found in :gear: **Settings** → **Safari** → **General** → **Downloads**.
 
@@ -198,7 +314,7 @@ We generally do not recommend installing [any extensions](https://www.sentinelon
 
     **uBlock Origin** is a popular content blocker that could help you block ads, trackers, and fingerprinting scripts.
 
-    We suggest enabling all of the [filter lists](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) under the "Ads," "Privacy," and "Malware domains". The "Annoyances" and "Multipurpose" lists can also be enabled, but they may break some social media functions. The *AdGuard URL Tracking Protection* filter list makes extensions like CleanURLs and NeatURLs redundant.
+    We suggest leaving the extension in its default configuration, as extra filter lists can add additional [attack surface](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css).
 
     [Extension Info](https://github.com/gorhill/uBlock#readme){ .md-button .md-button--primary }
 
@@ -210,11 +326,9 @@ We generally do not recommend installing [any extensions](https://www.sentinelon
         - [:fontawesome-brands-opera: Opera](https://addons.opera.com/extensions/details/ublock)
         - [:fontawesome-brands-github: Source](https://github.com/gorhill/uBlock)
 
-We also suggest adding the [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) list and any of the regional lists that might apply to your browsing habits. To add this list, first access settings by clicking on the uBO icon, then the settings icon ( :gear: ). Go to the bottom of the Filter lists pane and place a checkmark next to Import under the Custom section. Paste the URL of the filter list above into the text area that appears below and click "Apply changes".
+!!! warning "Use default filter lists"
 
-Additional filter lists do slow things down and may increase your attack surface, so only apply what you need.
-
-uBlock Origin also has different [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode). The easy mode [might not](https://www.ranum.com/security/computer_security/editorials/dumb/) necessarily keep you safe from every tracker out there, whereas the more advanced modes let you control exactly what needs to run.
+    Additional filter lists can impact performance may increase attack surface. Only apply what you need. If there is a [vulnerability in uBlock Origin](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css) a third party filter could add malicious rules that can potentially steal user data.
 
 ### AdGuard for Safari
 
@@ -261,8 +375,8 @@ Running a Snowflake proxy is low-risk, even moreso than running a Tor relay or b
 
     **Terms of Service; Didn't Read** grades websites based on their terms of service agreements and privacy policies. It also gives short summaries of those agreements. The analyses and ratings are published transparently by a community of reviewers.
 
-    [Website](https://tosdr.org){ .md-button .md-button--primary } [Privacy Policy](https://addons.mozilla.org/firefox/addon/terms-of-service-didnt-read/privacy){ .md-button }
+    [Website](https://tosdr.org){ .md-button .md-button--primary } [Privacy Policy](https://docs.tosdr.org/sp/tosdr.org-Privacy-Policy.89456373.html){ .md-button }
 
-We do not recommend installing ToS;DR as a browser extension. The same information is provided on their website.
+We do not recommend installing ToS;DR as a browser extension; the same information is also provided on their website.
 
 --8<-- "includes/abbreviations.en.md"

docs/cloud.en.md

@@ -2,11 +2,11 @@
 title: "Cloud Storage"
 icon: material/file-cloud
 ---
-If you are currently using a Cloud Storage Service like Dropbox, Google Drive, Microsoft OneDrive or Apple iCloud, you are putting complete trust in your service provider to not look at your files.
+Many cloud storage providers require your full trust that they will not look at your files. The alternatives listed below eliminate the need for trust by either putting you in control of your data or by implementing E2EE.
 
-Trust your provider by using an alternative below that supports E2EE.
+If these alternatives do not fit your needs, we suggest you look into [Encryption Software](encryption.md).
 
-### Nextcloud
+## Nextcloud
 
 !!! recommendation
 
@@ -31,9 +31,9 @@ Trust your provider by using an alternative below that supports E2EE.
 
 We recommend checking if your Nextcloud provider supports E2EE, otherwise you have to trust the provider to not look at your files.
 
-When self hosting Nextcloud, you should also remember to enable E2EE to protect against your hosting provider from snooping on your data.
+When self hosting Nextcloud, you should also enable E2EE to protect against your hosting provider snooping on your data.
 
-### Proton Drive
+## Proton Drive
 
 !!! recommendation
 
@@ -49,16 +49,16 @@ When self hosting Nextcloud, you should also remember to enable E2EE to protect
 
 Proton Drive is currently in beta and only is only available through a web client.
 
-When using a web client, you are placing trust in the server to send you proper JavaScript code to derive the decryption key and authentication token locally in your browser. A compromised server can send you malicious JavaScript code to steal your master password and decrypt your data. If this does not fit your [threat model](threat-modeling.md), consider using an alternative.
+When using a web client, you are placing trust in the server to send you proper JavaScript code to derive the decryption key and authentication token locally in your browser. A compromised server can send you malicious JavaScript code to steal your master password and decrypt your data. If this does not fit your [threat model](basics/threat-modeling.md), consider using an alternative.
 
-### Cryptee
+## Cryptee
 
 !!! recommendation
 
     ![Cryptee logo](./assets/img/cloud/cryptee.svg#only-light){ align=right }
     ![Cryptee logo](./assets/img/cloud/cryptee-dark.svg#only-dark){ align=right }
 
-    **Cryptee** is an encrypted, secure photo storage service, and an encrypted documents editor to write personal docs, notes, journals, store files & more.
+    **Cryptee** is an encrypted, secure photo storage service, and an encrypted documents editor.
 
     [Website](https://crypt.ee){ .md-button .md-button--primary } [Privacy Policy](https://crypt.ee/privacy){ .md-button }
 
@@ -66,7 +66,7 @@ When using a web client, you are placing trust in the server to send you proper
 
         - [:fontawesome-brands-github: Source](https://github.com/cryptee/web-client)
 
-### Tahoe-LAFS
+## Tahoe-LAFS
 
 !!! note
 
@@ -78,7 +78,7 @@ When using a web client, you are placing trust in the server to send you proper
     ![Tahoe-LAFS logo](./assets/img/cloud/tahoe-lafs.svg#only-light){ align=right }
     ![Tahoe-LAFS logo](./assets/img/cloud/tahoe-lafs-dark.svg#only-dark){ align=right }
 
-    **Tahoe-LAFS** is a free and open decentralized cloud storage system. It distributes your data across multiple servers. Even if some of the servers fail or are taken over by an attacker, the entire file store continues to function correctly, preserving your privacy and security. The servers used as storage pools do not have access to your data.
+    **Tahoe-LAFS** is a free, open, and decentralized cloud storage system. It distributes your data across multiple servers. Even if some of the servers fail or are taken over by an attacker, the entire file store continues to function correctly, preserving your privacy and security. The servers used as storage pools do not have access to your data.
 
     [Homepage](https://www.tahoe-lafs.org){ .md-button .md-button--primary }
 

docs/dns.en.md

@@ -7,18 +7,17 @@ icon: material/dns
 
     Encrypted DNS with third party servers should only be used to get around basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences. Encrypted DNS will not help you hide any of your browsing activity.
 
-    [Learn more about DNS](technology/dns.md){ .md-button }
+    [Learn more about DNS](basics/dns.md){ .md-button }
 
 ## Recommended Providers
 
-| DNS Provider | Privacy Policy | Type | Protocols | Logging | ECS | Filtering |
-| ------------ | -------------- | ---- | --------- | ------- | --- | --------- |
-| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Commercial | Cleartext <br> DoH <br> DoT <br> DNSCrypt | Some[^1] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS)
-| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Commercial | Cleartext <br> DoH <br> DoT | Some[^2] | No | Based on server choice.|
-| [**ControlD**](https://controld.com) | [:octicons-link-external-24:](https://controld.com/privacy) | Commercial | Cleartext <br> DoH <br> DoT | Optional[^3] | No |  Based on server choice.  |
-| [**MullvadDNS**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | Commercial | DoH <br> DoT | No[^4] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock)
-| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Commercial | Cleartext <br> DoH <br> DoT <br> DNSCrypt | Optional[^5] | Optional | Based on server choice. |
-| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Non-Profit | Cleartext <br> DoH <br> DoT <br> DNSCrypt | Some[^6] | Optional |  Based on server choice, Malware blocking by default. |
+| DNS Provider | Privacy Policy | Protocols | Logging | ECS | Filtering |
+| ------------ | -------------- | --------- | ------- | --- | --------- |
+| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Cleartext <br> DoH <br> DoT <br> DNSCrypt | Some[^1] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS)
+| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Cleartext <br> DoH <br> DoT | Some[^2] | No | Based on server choice.|
+| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | DoH <br> DoT | No[^4] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock)
+| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Cleartext <br> DoH <br> DoT <br> DNSCrypt | Optional[^5] | Optional | Based on server choice. |
+| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Cleartext <br> DoH <br> DoT <br> DNSCrypt | Some[^6] | Optional |  Based on server choice, Malware blocking by default. |
 
 [^1]: AdGuard stores aggregated performance metrics of their DNS servers, namely the number of complete requests to a particular server, the number of blocked requests, and the speed of processing requests. They also keep and store the database of domains requested in within last 24 hours. "We need this information to identify and block new trackers and threats." "We also log how many times this or that tracker has been blocked. We need this information to remove outdated rules from our filters." [https://adguard.com/en/privacy/dns.html](https://adguard.com/en/privacy/dns.html)
 [^2]: Cloudflare collects and stores only the limited DNS query data that is sent to the 1.1.1.1 resolver. The 1.1.1.1 resolver service does not log personal data, and the bulk of the limited non-personally identifiable query data is stored only for 25 hours. [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/)
@@ -29,10 +28,10 @@ icon: material/dns
 
 The criteria for the servers listed above are:
 
-- Must support [DNSSEC](technology/dns.md#what-is-dnssec-and-when-is-it-used)
+- Must support [DNSSEC](basics/dns.md#what-is-dnssec)
 - Must have [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) support
-- [QNAME Minimization](technology/dns.md#what-is-qname-minimization)
-- Allow for [ECS](technology/dns.md#what-is-edns-client-subnet-ecs) to be disabled
+- [QNAME Minimization](basics/dns.md#what-is-qname-minimization)
+- Allow for [ECS](basics/dns.md#what-is-edns-client-subnet-ecs) to be disabled
 
 ## Native Operating System Support
 
@@ -48,7 +47,7 @@ After installation of either a configuration profile or an app that utilizes the
 
 #### Signed Profiles
 
-Apple does not provide a native interface for creating encrypted DNS profiles. [Secure DNS profile creator](https://dns.notjakob.com/tool.html) is an unofficial tool for creating your own encrypted DNS profiles, however they will not be signed. Signed profiles are preferred; signing validates a profile's origin and helps to ensure the integrity of the profiles. A green "Verified" label is given to signed configuration profiles. For more information on code signing, see [About Code Signing](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). **Signed profiles** are offered by [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), [ControlD](https://kb.controld.com/en/tutorials), [NextDNS](https://apple.nextdns.io), [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/).
+Apple does not provide a native interface for creating encrypted DNS profiles. [Secure DNS profile creator](https://dns.notjakob.com/tool.html) is an unofficial tool for creating your own encrypted DNS profiles, however they will not be signed. Signed profiles are preferred; signing validates a profile's origin and helps to ensure the integrity of the profiles. A green "Verified" label is given to signed configuration profiles. For more information on code signing, see [About Code Signing](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). **Signed profiles** are offered by [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), [NextDNS](https://apple.nextdns.io), and [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/).
 
 #### iOS/iPadOS
 
@@ -74,7 +73,7 @@ Select **Settings** &rarr; **Network & Internet** &rarr; **Ethernet or WiFi**, &
 
 ## Encrypted DNS Proxies
 
-Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](technology/dns.md#unencrypted-dns) resolver to forward to. Typically it is used on platforms that don't natively support [encrypted DNS](technology/dns.md#what-is-encrypted-dns).
+Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](basics/dns.md#unencrypted-dns) resolver to forward to. Typically it is used on platforms that don't natively support [encrypted DNS](basics/dns.md#what-is-encrypted-dns).
 
 ### RethinkDNS
 
@@ -83,7 +82,7 @@ Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](te
     ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ align=right }
     ![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ align=right }
 
-    **RethinkDNS** is an open-source Android client supporting [DNS-over-HTTPS](technology/dns.md#dns-over-https-doh), [DNS-over-TLS](technology/dns.md#dns-over-tls-dot), [DNSCrypt](technology/dns.md#dnscrypt) and DNS Proxy along with caching DNS responses, locally logging DNS queries and can be used as a firewall too.
+    **RethinkDNS** is an open-source Android client supporting [DNS-over-HTTPS](basics/dns.md#dns-over-https-doh), [DNS-over-TLS](basics/dns.md#dns-over-tls-dot), [DNSCrypt](basics/dns.md#dnscrypt) and DNS Proxy along with caching DNS responses, locally logging DNS queries and can be used as a firewall too.
 
     [Website](https://rethinkdns.com){ .md-button .md-button--primary } [Privacy Policy](https://rethinkdns.com/privacy){ .md-button }
 
@@ -99,7 +98,7 @@ Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](te
 
     ![DNSCloak logo](assets/img/ios/dnscloak.png){ align=right }
 
-    **DNSCloak** is an open-source iOS client supporting [DNS-over-HTTPS](technology/dns.md#dns-over-https-doh), [DNSCrypt](technology/dns.md#dnscrypt), and [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy/wiki) options such as caching DNS responses, locally logging DNS queries, and custom block lists. You can [add custom resolvers by DNS stamp](https://medium.com/privacyguides/adding-custom-dns-over-https-resolvers-to-dnscloak-20ff5845f4b5).
+    **DNSCloak** is an open-source iOS client supporting [DNS-over-HTTPS](basics/dns.md#dns-over-https-doh), [DNSCrypt](basics/dns.md#dnscrypt), and [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy/wiki) options such as caching DNS responses, locally logging DNS queries, and custom block lists. You can [add custom resolvers by DNS stamp](https://medium.com/privacyguides/adding-custom-dns-over-https-resolvers-to-dnscloak-20ff5845f4b5).
 
     [Project Info](https://github.com/s-s/dnscloak/blob/master/README.md){ .md-button .md-button--primary } [Privacy Policy](https://drive.google.com/file/d/1050No_pU74CAWUS5-BwQWyO2x_aiMzWc/view){ .md-button }
 
@@ -114,9 +113,9 @@ Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](te
 
     ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ align=right }
 
-    **dnscrypt-proxy** is a DNS proxy with support for [DNSCrypt](technology/dns.md#dnscrypt), [DNS-over-HTTPS](technology/dns.md#dns-over-https-doh), and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS).
+    **dnscrypt-proxy** is a DNS proxy with support for [DNSCrypt](basics/dns.md#dnscrypt), [DNS-over-HTTPS](basics/dns.md#dns-over-https-doh), and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS).
 
-    !!! warning "The anonymized DNS feature does [**not**](technology/dns.md#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic."
+    !!! warning "The anonymized DNS feature does [**not**](basics/dns.md#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic."
 
     [Wiki](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .md-button .md-button--primary } [Privacy Policy](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .md-button }
 

docs/email-clients.en.md

@@ -11,7 +11,7 @@ Our recommendation list contains email clients that support both [OpenPGP](encry
 
     [Real-time Communication](real-time-communication.md){ .md-button }
 
-### Thunderbird
+## Thunderbird
 
 !!! recommendation
 
@@ -29,7 +29,7 @@ Our recommendation list contains email clients that support both [OpenPGP](encry
         - [:pg-flathub: Flatpak](https://flathub.org/apps/details/org.mozilla.Thunderbird)
         - [:fontawesome-brands-git: Source](https://hg.mozilla.org/comm-central)
 
-### Apple Mail
+## Apple Mail
 
 !!! note
 
@@ -43,7 +43,7 @@ Our recommendation list contains email clients that support both [OpenPGP](encry
 
     [Website](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } [Privacy Policy](https://www.apple.com/legal/privacy/en-ww/){ .md-button }
 
-### GNOME Evolution
+## GNOME Evolution
 
 !!! recommendation
 
@@ -58,7 +58,7 @@ Our recommendation list contains email clients that support both [OpenPGP](encry
         - [:pg-flathub: Flatpak](https://flathub.org/apps/details/org.gnome.Evolution)
         - [:fontawesome-brands-gitlab: Source](https://gitlab.gnome.org/GNOME/evolution)
 
-### Kontact
+## Kontact
 
 !!! recommendation
 
@@ -74,7 +74,7 @@ Our recommendation list contains email clients that support both [OpenPGP](encry
         - [:pg-flathub: Flatpak](https://flathub.org/apps/details/org.kde.kontact)
         - [:fontawesome-brands-git: Source](https://invent.kde.org/pim/kmail)
 
-### Mailvelope
+## Mailvelope
 
 !!! recommendation
 
@@ -91,7 +91,7 @@ Our recommendation list contains email clients that support both [OpenPGP](encry
         - [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc)
         - [:fontawesome-brands-github: Source](https://github.com/mailvelope/mailvelope)
 
-### K-9 Mail
+## K-9 Mail
 
 !!! recommendation
 
@@ -107,7 +107,7 @@ Our recommendation list contains email clients that support both [OpenPGP](encry
         - [:pg-f-droid: F-Droid](https://f-droid.org/packages/com.fsck.k9)
         - [:fontawesome-brands-github: Source](https://github.com/k9mail)
 
-### FairEmail
+## FairEmail
 
 !!! recommendation
 
@@ -123,7 +123,7 @@ Our recommendation list contains email clients that support both [OpenPGP](encry
         - [:pg-f-droid: F-Droid](https://f-droid.org/packages/eu.faircode.email/)
         - [:fontawesome-brands-github: Source](https://github.com/M66B/FairEmail)
 
-### Canary Mail
+## Canary Mail
 
 !!! recommendation
 
@@ -146,7 +146,7 @@ Our recommendation list contains email clients that support both [OpenPGP](encry
 
 Canary Mail is closed source. We recommend it, due to the few choices there are for email clients on iOS that support PGP E2EE.
 
-### NeoMutt
+## NeoMutt
 
 !!! recommendation
 

docs/email.en.md

@@ -12,7 +12,7 @@ For everything else, we recommend a variety of email providers based on sustaina
 
     When using E2EE technology like OpenPGP, email will still have some metadata that is not encrypted in the header of the email. Read more about email metadata.
 
-    OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. How do I protect my private keys?
+    OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. [How do I protect my private keys?](email.md#how-do-i-protect-my-private-keys)
 
 ## Recommended Email Providers
 
@@ -100,45 +100,6 @@ For everything else, we recommend a variety of email providers based on sustaina
 
     All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3.
 
-### Disroot
-
-!!! recommendation
-
-    ![Disroot logo](assets/img/email/disroot.svg#only-light){ align=right }
-    ![Disroot logo](assets/img/email/disroot-dark.svg#only-dark){ align=right }
-
-    **Disroot** offers email amongst [other services](https://disroot.org/en/#services). The service is maintained by volunteers and its community. They have been in operation since 2015. Disroot is based in Amsterdam. Disroot is free and uses open source software such as Rainloop to provide service. You can support the service through donations and buying extra storage. The mailbox limit is 1 GB, but extra storage can be purchased 0.15€ per GB per month paid yearly.
-
-    **Free**
-
-    [Website](https://disroot.org){ .md-button .md-button--primary } [Privacy Policy](https://disroot.org/en/privacy_policy){ .md-button }
-
-??? check "Custom Domains and Aliases"
-
-    Disroot lets you use your own domain. They have aliases, however you must [manually apply](https://disroot.org/en/forms/alias-request-form) for them.
-
-??? check "Private Payment Methods"
-
-    Disroot accepts Bitcoin and Faircoin as payment methods. They also accept PayPal, direct bank deposit, and Patreon payments. Disroot is a not-for-profit organization that also accepts donations through Liberapay, Flattr, and Monero, but these payment methods cannot be used to purchase services.
-
-??? check "Account Security"
-
-    Disroot supports TOTP two factor authentication for webmail only. They do not allow U2F security key authentication.
-
-??? warning "Data Security"
-
-    Disroot uses FDE. However, it doesn't appear to be "zero access", meaning it is technically possible for them to decrypt the data they have if it is not additionally encrypted with a tool like OpenPGP.
-
-    Disroot also uses the standard [CalDAV](https://en.wikipedia.org/wiki/CalDAV) and [CardDAV](https://en.wikipedia.org/wiki/CardDAV) protocols for calendars and contacts, which do not support E2EE. A [standalone option](calendar-contacts.md) may be more appropriate.
-
-??? check "Email Encryption"
-
-    Disroot allows for encrypted emails to be sent from their webmail application using OpenPGP. However, Disroot has not integrated a Web Key Directory (WKD) for email accounts on their platform.
-
-??? info "Additional Functionality"
-
-    They offer [other services](https://disroot.org/en/#services) such as NextCloud, XMPP Chat, Etherpad, Ethercalc, Pastebin, Online polls and a Gitea instance. They also have an app [available in F-Droid](https://f-droid.org/packages/org.disroot.disrootapp/).
-
 ### Tutanota
 
 !!! recommendation
@@ -350,16 +311,16 @@ We regard these features as important in order to provide a safe and optimal ser
 
 **Minimum to Qualify:**
 
-- Encrypts account data at rest.
-- Integrated webmail encryption provides convenience to those who want an improvement on having no E2EE.
+- Encrypts email account data at rest with zero-access encryption.
+- Integrated webmail E2EE/PGP encryption provided as a convenience.
 
 **Best Case:**
 
-- Encrypts account data at rest with zero-access encryption.
-- Allow you to use your own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important, because they allow you to maintain your agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy, etc.
+- Encrypts all account data (Contacts, Calendars etc) at rest with zero-access encryption.
+- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy etc.
 - Support for [WKD](https://wiki.gnupg.org/WKD) to allow improved discovery of public OpenPGP keys via HTTP.
-    You can get a key by typing: `gpg --locate-key example_user@example.com`
-- Support for a temporary mailbox for outside accounts. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP.
+    GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com`
+- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP.
 - Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion).
 - [Subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing) support.
 - Catch-all or alias functionality for those who own their own domains.
@@ -396,9 +357,8 @@ Email servers deal with a lot of very sensitive data. We expect that providers w
 - A server suite preference of TLS 1.2 or later and a plan for [Deprecating TLSv1.0 and TLSv1.1](https://datatracker.ietf.org/doc/draft-ietf-tls-oldversions-deprecate/).
 - [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used.
 - Website security standards such as:
-
-- [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security)
-- [Subresource Integrity](https://en.wikipedia.org/wiki/Subresource_Integrity) if loading things from external domains.
+    - [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security)
+    - [Subresource Integrity](https://en.wikipedia.org/wiki/Subresource_Integrity) if loading things from external domains.
 
 **Best Case:**
 
@@ -408,9 +368,8 @@ Email servers deal with a lot of very sensitive data. We expect that providers w
 - Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), this is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617).
 - Bug-bounty programs and/or a coordinated vulnerability-disclosure process.
 - Website security standards such as:
-
-- [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy)
-- [Expect-CT](https://datatracker.ietf.org/doc/draft-ietf-httpbis-expect-ct)
+    - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy)
+    - [Expect-CT](https://datatracker.ietf.org/doc/draft-ietf-httpbis-expect-ct)
 
 ### Trust
 
@@ -504,3 +463,4 @@ When emails travel between email providers an encrypted connection is negotiated
 - [The Government Can (Still) Read Most Of Your Emails Without A Warrant (2013)](https://thinkprogress.org/the-government-can-still-read-most-of-your-emails-without-a-warrant-322fe6defc7b/)
 
 --8<-- "includes/abbreviations.en.md"
+

docs/encryption.en.md

@@ -38,7 +38,7 @@ Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/Tru
 
     ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ align=right }
 
-    **Cryptomator** makes it easy for you to upload files to the cloud in a virtual encrypted file system.
+    **Cryptomator** is an encryption solution designed for privately saving files to any cloud provider. It allows you to create vaults that are stored on a virtual drive, the contents of which are encrypted and synced with your cloud storage provider.
 
     [Homepage](https://cryptomator.org){ .md-button .md-button--primary } [Privacy Policy](https://cryptomator.org/privacy){ .md-button }
 
@@ -49,11 +49,15 @@ Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/Tru
         - [:fontawesome-brands-linux: Linux](https://cryptomator.org/downloads)
         - [:pg-flathub: Flatpak](https://flathub.org/apps/details/org.cryptomator.Cryptomator)
         - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator)
-        - [:fontawesome-brands-android: F-Droid repo](https://cryptomator.org/android)
+        - [:pg-f-droid: F-Droid](https://cryptomator.org/android)
         - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163)
         - [:fontawesome-brands-github: Source](https://github.com/cryptomator)
 
-Some of the Cryptomator Crypto Libraries have been [audited](https://cryptomator.org/open-source/) by [Cure53](https://cryptomator.org/audits/2017-11-27%20crypto%20cure53.pdf). The scope of those libraries included [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) and [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). It did not include [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift) which is now used on iOS.
+Cryptomator utilizes AES-256 encryption to encrypt both files and filenames. Cryptomator cannot encrypt some metadata such as access, modification, and creation timestamps, nor the number and size of files and folders.
+
+Some Cryptomator cryptographic libraries have been [audited](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44) by Cure53. The scope of the audited libraries include: [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) and [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). The audit did not extend to [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), which is a library used by Cryptomator for iOS.
+
+Cryptomator's documentation details its intended [security target](https://docs.cryptomator.org/en/latest/security/security-target/), [security architecture](https://docs.cryptomator.org/en/latest/security/architecture/), and [best practices](https://docs.cryptomator.org/en/latest/security/best-practices/) for use in further detail.
 
 ### Picocrypt
 

docs/file-sharing.en.md

@@ -29,7 +29,7 @@ Discover how to privately share your files between your devices, with your frien
 
     ![Magic Wormhole logo](assets/img/file-sharing-sync/magic_wormhole.png){ align=right }
 
-    Magic Wormhole is a package that provides a library and a command-line tool named wormhole, which makes it possible to get arbitrary-sized files and directories (or short pieces of text) from one computer to another. Their motto: "Get things from one computer to another, safely.
+    **Magic Wormhole** is a package that provides a library and a command-line tool named wormhole, which makes it possible to get arbitrary-sized files and directories (or short pieces of text) from one computer to another. Their motto: "Get things from one computer to another, safely.
 
     [Homepage](https://magic-wormhole.readthedocs.io){ .md-button .md-button--primary }
 
@@ -46,7 +46,7 @@ Discover how to privately share your files between your devices, with your frien
 
     ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ align=right }
 
-    **FreedomBox** is a operating system designed to be run on a [single-board computer (SBC)](https://en.wikipedia.org/wiki/Single-board_computer). The purpose is to make it easy to set up server applications that you might want to selfhost.
+    **FreedomBox** is an operating system designed to be run on a [single-board computer (SBC)](https://en.wikipedia.org/wiki/Single-board_computer). The purpose is to make it easy to set up server applications that you might want to selfhost.
 
     [Homepage](https://freedombox.org){ .md-button .md-button--primary }
 
@@ -62,7 +62,7 @@ Discover how to privately share your files between your devices, with your frien
 
     ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ align=right }
 
-    **Syncthing** replaces proprietary sync and cloud services with something open, trustworthy, and decentralized. Your data is your data alone and you deserve to choose where it is stored, if it is shared with some third-party, and how it is transmitted over the Internet.
+    **Syncthing** is an open-source peer-to-peer continuous file synchronization utility. It is used to synchronize files between two or more devices over the local network or the internet. Syncthing does not use a centralized server; it uses the [Block Exchange Protocol](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) to transfer data between devices. All data is encrypted using TLS.
 
     [Homepage](https://syncthing.net){ .md-button .md-button--primary }
 

docs/index.en.md

@@ -26,7 +26,7 @@ Trying to protect all your data from everyone all the time is impractical, expen
 
 ==This process of identifying threats and defining countermeasures is called **threat modeling**==, and it forms the basis of every good security and privacy plan.
 
-[:material-book-outline: Learn More About Threat Modeling](threat-modeling.md){ .md-button .md-button--primary }
+[:material-book-outline: Learn More About Threat Modeling](basics/threat-modeling.md){ .md-button .md-button--primary }
 </div>
 </div>
 

docs/linux-desktop.en.md

@@ -170,7 +170,7 @@ There isn’t much point in randomizing the MAC address for Ethernet connections
 
 ### Other Identifiers
 
-There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](threat-modeling.md):
+There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](basics/threat-modeling.md):
 
 - **Hostnames:** Your system's hostname is shared with the networks you connect to. You should avoid including identifying terms like your name or operating system in your hostname, instead sticking to generic terms or random strings.
 - **Usernames:** Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name.

docs/linux-desktop/overview.en.md

@@ -7,7 +7,7 @@ It is often believed that [open source](https://en.wikipedia.org/wiki/Open-sourc
 At the moment, desktop GNU/Linux does have some areas that could be better improved when compared to their proprietary counterparts, e.g:
 
 - A verified boot chain, unlike Apple’s [Secure Boot](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) (with [Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), Android’s [Verified Boot](https://source.android.com/security/verifiedboot) or Microsoft Windows’s [boot process](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) with [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). These features and hardware technologies can all help prevent persistent tampering by malware or [evil maid attacks](https://en.wikipedia.org/wiki/Evil_Maid_attack)
-- Strong sandboxing solution such as that found in [MacOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md), and [Android](https://source.android.com/security/app-sandbox). Commonly used Linux sandboxing solutions such as [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) and [Firejail](https://firejail.wordpress.com/) still have a long way to go
+- Strong sandboxing solution such as that found in [macOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md), and [Android](https://source.android.com/security/app-sandbox). Commonly used Linux sandboxing solutions such as [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) and [Firejail](https://firejail.wordpress.com/) still have a long way to go
 - Strong [exploit mitigations](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations)
 
 Despite these drawbacks, desktop GNU/Linux distributions are great if you want to:
@@ -28,13 +28,9 @@ For frozen distributions, package maintainers are expected to backport patches t
 
 We don’t believe holding packages back and applying interim patches is a good idea, as it diverges from the way the developer might have intended the software to work. [Richard Brown](https://rootco.de/aboutme/) has a presentation about this:
 
-<iframe width="100%" style="height:50vh"
-  src="https://www.youtube-nocookie.com/embed/i8c0mg_mS7U"
-  title="Regular Releases are Wrong, Roll for your life"
-  frameborder="0"
-  allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture"
-  allowfullscreen>
-</iframe>
+<div class="yt-embed">
+  <iframe width="560" height="315" src="https://www.youtube-nocookie.com/embed/i8c0mg_mS7U" title="Regular Releases are Wrong, Roll for your life" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
+</div>
 
 ## Traditional vs Atomic updates
 
@@ -46,13 +42,9 @@ A transactional update system creates a snapshot that is made before and after a
 
 The Atomic update method is used for immutable distributions like Silverblue, Tumbleweed, and NixOS and can achieve reliability with this model. [Adam Šamalík](https://twitter.com/adsamalik) provided a presentation on how `rpm-ostree` works with Silverblue:
 
-<iframe width="100%" style="height:50vh"
-  src="https://www.youtube-nocookie.com/embed/-hpV5l-gJnQ"
-  title="Let's try Fedora Silverblue — an immutable desktop OS! - Adam Šamalik"
-  frameborder="0"
-  allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture"
-  allowfullscreen>
-</iframe>
+<div class="yt-embed">
+  <iframe width="560" height="315" src="https://www.youtube-nocookie.com/embed/-hpV5l-gJnQ" title="Let's try Fedora Silverblue — an immutable desktop OS! - Adam Šamalik" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
+</div>
 
 ## “Security-focused” distributions
 

docs/linux-desktop/sandboxing.en.md

@@ -2,7 +2,7 @@
 title: Application Sandboxing
 icon: octicons/apps-16
 ---
-Some sandboxing solutions for desktop Linux distributions do exist, however they are not as strict as those found in MacOS or ChromeOS. Applications installed from the package manager (`dnf`, `apt`, etc.) typically have **no** sandboxing or confinement whatsoever. Below are a few projects that aim to solve this problem:
+Some sandboxing solutions for desktop Linux distributions do exist, however they are not as strict as those found in macOS or ChromeOS. Applications installed from the package manager (`dnf`, `apt`, etc.) typically have **no** sandboxing or confinement whatsoever. Below are a few projects that aim to solve this problem:
 
 ### Flatpak
 

docs/metadata-removal-tools.en.md

@@ -80,7 +80,7 @@ Imagepipe is only available from F-Droid and not in Google Play. If you're looki
 
 ### Metapho
 
-!!! attention
+!!! warning
 
     Metapho is closed source. We recommend it, due to the few choices there are for iOS devices.
 

docs/multi-factor-authentication.en.md

@@ -10,7 +10,7 @@ icon: 'material/two-factor-authentication'
 
     ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png)
 
-    The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](security/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](security/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
+    The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
 
     One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://www.yubico.com/quiz/) before purchasing in order to make sure you make the right choice.
 
@@ -22,7 +22,7 @@ YubiKeys can be programmed using the [YubiKey Manager](https://www.yubico.com/su
 
 For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
 
-!!! attention
+!!! warning
     The firmware of YubiKeys are not open source and are not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
 
 ### Nitrokey / Librem Key
@@ -31,7 +31,7 @@ For models which support HOTP and TOTP, there are 2 slots in the OTP interface w
 
     ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right }
 
-    **Nitrokey** has a security key capable of [FIDO2 and WebAuthn](security/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
+    **Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
 
     [Website](https://www.nitrokey.com){ .md-button .md-button--primary } [Privacy Policy](https://www.nitrokey.com/data-privacy-policy){ .md-button }
 
@@ -77,7 +77,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 
         - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis)
         - [:pg-f-droid: F-Droid](https://f-droid.org/en/packages/com.beemdevelopment.aegis)
-        - [:fontawesome-brands-github: GitHub](https://github.com/beemdevelopment/Aegis)
+        - [:fontawesome-brands-github: Source](https://github.com/beemdevelopment/Aegis)
 
 ### Raivo OTP
 
@@ -93,6 +93,6 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 
         - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137)
         - [:fontawesome-brands-app-store: Mac App Store](https://apps.apple.com/us/app/raivo-otp/id1498497896)
-        - [:fontawesome-brands-github: GitHub](https://github.com/raivo-otp/ios-application)
+        - [:fontawesome-brands-github: Source](https://github.com/raivo-otp/ios-application)
 
 --8<-- "includes/abbreviations.en.md"

docs/notebooks.en.md

@@ -29,7 +29,7 @@ If you are currently using an application like Evernote, Google Keep, or Microso
         - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/joplin/id1315599797)
         - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin)
         - [:pg-f-droid: F-Droid](https://f-droid.org/en/packages/net.cozic.joplin)
-        - [:fontawesome-brands-github: GitHub](https://github.com/laurent22/joplin)
+        - [:fontawesome-brands-github: Source](https://github.com/laurent22/joplin)
 
 Joplin does not support password/pin protection for the [application itself or individual notes/notebooks](https://github.com/laurent22/joplin/issues/289). Data is still encrypted in transit and at the sync location using your master key.
 
@@ -52,7 +52,7 @@ Joplin does not support password/pin protection for the [application itself or i
         - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes)
         - [:pg-f-droid: F-Droid](https://f-droid.org/en/packages/com.standardnotes)
         - [:octicons-browser-16: Browser](https://app.standardnotes.com/)
-        - [:fontawesome-brands-github: GitHub](https://github.com/standardnotes)
+        - [:fontawesome-brands-github: Source](https://github.com/standardnotes)
 
 ### EteSync Notes
 
@@ -72,7 +72,7 @@ Joplin does not support password/pin protection for the [application itself or i
         - [:pg-f-droid: F-Droid](https://f-droid.org/packages/com.etesync.notes)
         - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/etesync-notes/id1533806351)
         - [:octicons-browser-16: Browser](https://notes.etesync.com)
-        - [:fontawesome-brands-github: GitHub](https://github.com/etesync)
+        - [:fontawesome-brands-github: Source](https://github.com/etesync)
 
 ## Local notebooks
 
@@ -82,7 +82,7 @@ Joplin does not support password/pin protection for the [application itself or i
 
     ![Org-mode logo](assets/img/notebooks/org-mode.svg){ align=right }
 
-    **Org-mode** is a [major mode](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) for GNU Emacs. Org-mode is for keeping notes, maintaining TODO lists, planning projects, and authoring documents with a fast and effective plain-text system. Synchronization is possible with [file synchronization](/software/file-sharing/#sync) tools.
+    **Org-mode** is a [major mode](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) for GNU Emacs. Org-mode is for keeping notes, maintaining TODO lists, planning projects, and authoring documents with a fast and effective plain-text system. Synchronization is possible with [file synchronization](/file-sharing/#file-sync) tools.
 
     [Homepage](https://orgmode.org){ .md-button .md-button--primary }
 

docs/passwords.en.md

@@ -8,7 +8,7 @@ Stay safe and secure online with an encrypted and open-source password manager.
 
 - Always use unique passwords. Don't make yourself a victim of "[credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing)".
 - Store an exported backup of your passwords in an [encrypted container](encryption.md) on another storage device. This can be useful if something happens to your device or the service you are using.
-- If possible, store TOTP tokens in a separate [TOTP app](security/multi-factor-authentication.md#authenticator-apps) and not your password manager. TOTP codes are generated from a "[shared secret](https://en.wikipedia.org/wiki/Time-based_one-time_password#Security)". If the secret is obtained by an adversary they can generate TOTP values. Typically, mobile platforms have better app isolation and more secure methods for storing sensitive credentials.
+- If possible, store TOTP tokens in a separate [TOTP app](basics/multi-factor-authentication.md#authenticator-apps) and not your password manager. TOTP codes are generated from a "[shared secret](https://en.wikipedia.org/wiki/Time-based_one-time_password#Security)". If the secret is obtained by an adversary they can generate TOTP values. Typically, mobile platforms have better app isolation and more secure methods for storing sensitive credentials.
 
 ## Local Password Managers
 
@@ -146,7 +146,7 @@ These products are minimal password managers that can be used within scripting a
 
     ![gopass logo](assets/img/password-management/gopass.svg){ align=right }
 
-    **gopass** is a password manager for the command line written in Go. It works on all major desktop and server operating systems (Linux, MacOS, BSD, Windows).
+    **gopass** is a password manager for the command line written in Go. It works on all major desktop and server operating systems (Linux, macOS, BSD, Windows).
 
     [Homepage](https://www.gopass.pw){ .md-button .md-button--primary }
 

docs/qubes.en.md

@@ -2,10 +2,6 @@
 title: "Qubes OS"
 icon: pg/qubes-os
 ---
-Qubes OS is a distribution of Linux that uses [Xen](https://en.wikipedia.org/wiki/Xen) to provide app isolation.
-
-### Qubes OS
-
 !!! recommendation
 
     ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ align=right }

docs/real-time-communication.en.md

@@ -60,7 +60,7 @@ Profile pictures, reactions, and nicknames are not encrypted.
 
 Group voice and video calls are [not](https://github.com/vector-im/element-web/issues/12878) E2EE, and use Jitsi, but this is expected to change with [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Group calls have [no authentication](https://github.com/vector-im/element-web/issues/13074) currently, meaning that non room participants can also join the calls. We recommend that you do not use this feature for private meetings.
 
-When using [element-web](https://github.com/vector-im/element-web), you must trust the server hosting the Element client. If your [threat model](threat-modeling.md) requires stronger protection, then use a desktop or mobile client instead.
+When using [element-web](https://github.com/vector-im/element-web), you must trust the server hosting the Element client. If your [threat model](basics/threat-modeling.md) requires stronger protection, then use a desktop or mobile client instead.
 
 The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signal’s [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/).
 

docs/router.en.md

@@ -4,7 +4,7 @@ icon: material/router-wireless
 ---
 Below are a few alternative operating systems, that can be used on routers, Wi-Fi access points etc.
 
-### OpenWrt
+## OpenWrt
 
 !!! recommendation
 
@@ -21,7 +21,7 @@ Below are a few alternative operating systems, that can be used on routers, Wi-F
 
 You can consult OpenWrt's [table of hardware](https://openwrt.org/toh/start) to check if your device is supported.
 
-### pfSense
+## pfSense
 
 !!! recommendation
 

docs/search-engines.en.md

@@ -8,7 +8,7 @@ The recommendations here are based on the merits of each service's privacy polic
 
 Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org/) if your threat model requires hiding your IP address from the search provider.
 
-### DuckDuckGo
+## DuckDuckGo
 
 !!! recommendation
 
@@ -27,7 +27,7 @@ DuckDuckGo is based in the :flag_us: United States. Their [privacy policy](https
 
 DuckDuckGo offers two other [versions](https://help.duckduckgo.com/features/non-javascript/) of their search engine, both of which do not require JavaScript. These versions do lack features, however. These versions can also be used in conjunction with their [Tor onion address](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/) by appending [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) or [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) for the respective version.
 
-### Startpage
+## Startpage
 
 !!! recommendation
 
@@ -44,7 +44,7 @@ Startpage is based in the :flag_nl: Netherlands. According to their [privacy pol
 
 Startpage's majority shareholder is System1 who is an adtech company. We don't believe that to be an issue as they have an distinctly separate [privacy policy](https://system1.com/terms/privacy-policy). The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) to clear up any concerns with System1's sizeable investment into the service. We were satisfied with the answers we received.
 
-### Mojeek
+## Mojeek
 
 !!! recommendation
 
@@ -56,7 +56,7 @@ Startpage's majority shareholder is System1 who is an adtech company. We don't b
 
 The company is based in the :flag_gb: UK. According to their [Privacy Policy](https://www.mojeek.com/about/privacy/), they log the originating country, time, page requested, and referral data of each query. IP addresses are not logged.
 
-### SearXNG
+## SearXNG
 
 !!! recommendation
 

docs/self-contained-networks.en.md

@@ -2,11 +2,9 @@
 title: "Self-Contained Networks"
 icon: material/security-network
 ---
-If you are currently browsing clearnet and want to access the dark web, this section is for you.
+These networks are designed to keep your traffic anonymous.
 
-## Self-contained Networks
-
-### Tor
+## Tor
 
 !!! recommendation
 
@@ -29,7 +27,7 @@ If you are currently browsing clearnet and want to access the dark web, this sec
         - [:fontawesome-brands-android: Android](https://www.torproject.org/download/#android)
         - [:fontawesome-brands-git: Source](https://gitweb.torproject.org/tor.git)
 
-### Invisible Internet Project
+## Invisible Internet Project
 
 !!! recommendation
 
@@ -53,7 +51,7 @@ If you are currently browsing clearnet and want to access the dark web, this sec
         - [:pg-f-droid: F-Droid](https://f-droid.org/app/net.i2p.android.router)
         - [:fontawesome-brands-git: Source](https://geti2p.net/en/get-involved/guides/new-developers#getting-the-i2p-code)
 
-### The Freenet Project
+## The Freenet Project
 
 !!! recommendation
 

docs/stylesheets/extra.css

@@ -155,3 +155,19 @@ h1, h2, h3, .md-header__topic {
 .no-js .md-sidebar {
     align-self: auto;
 }
+
+/* Maintain 16:9 aspect ratio on embedded YT videos */
+.yt-embed {
+    position: relative;
+    width: 100%;
+    padding-bottom: 56.25%; 
+    height: 0;
+}
+
+.yt-embed iframe {
+    position: absolute;
+    top:0;
+    left: 0;
+    width: 100%;
+    height: 100%;
+}

docs/tools.en.md

@@ -17,11 +17,14 @@ For your convenience, everything we recommend is listed below with a link to the
 
 - ![Tor Browser logo](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](https://www.torproject.org/)
 - ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox (Desktop)](https://firefox.com/)
+- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave (Desktop)](https://brave.com/)
 - ![Bromite logo](assets/img/browsers/bromite.svg){ .twemoji } [Bromite (Android)](https://www.bromite.org/)
 - ![Safari logo](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](https://www.apple.com/safari/)
 
 </div>
 
+[Learn more :material-arrow-right:](browsers.md)
+
 **Additional Resources:**
 
 <div class="grid cards annotate" markdown>
@@ -37,7 +40,7 @@ For your convenience, everything we recommend is listed below with a link to the
 2. We do not recommend installing ToS;DR as a browser extension. The same information is provided on their website.
 
 
-[Learn more :material-arrow-right:](browsers.md)
+[Learn more :material-arrow-right:](browsers.md#additional-resources)
 
 ## Operating Systems
 
@@ -51,6 +54,8 @@ For your convenience, everything we recommend is listed below with a link to the
 
 </div>
 
+[Learn more :material-arrow-right:](android.md)
+
 **Android Apps:**
 
 <div class="grid cards" markdown>
@@ -65,7 +70,7 @@ For your convenience, everything we recommend is listed below with a link to the
 
 </div>
 
-[Learn more :material-arrow-right:](android.md)
+[Learn more :material-arrow-right:](android.md#general-apps)
 
 ### Linux
 
@@ -125,21 +130,24 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 - ![ProtonMail logo](assets/img/email/mini/protonmail.svg){ .twemoji } [ProtonMail](https://protonmail.com/)
 - ![Mailbox.org logo](assets/img/email/mini/mailboxorg.svg){ .twemoji } [Mailbox.org](https://mailbox.org/)
-- ![Disroot logo](assets/img/email/mini/disroot.svg#only-light){ .twemoji }![Disroot logo](assets/img/email/mini/disroot-dark.svg#only-dark){ .twemoji } [Disroot](https://disroot.org/)
 - ![Tutanota logo](assets/img/email/mini/tutanota.svg){ .twemoji } [Tutanota](https://tutanota.com/)
 - ![StartMail logo](assets/img/email/mini/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/mini/startmail-dark.svg#only-dark){ .twemoji } [StartMail](https://startmail.com/)
 
 </div>
 
-**Email Cloaking Services:**
+[Learn more :material-arrow-right:](email.md)
+
+**Email Aliasing Services:**
 
 <div class="grid cards" markdown>
 
-- ![AnonAddy logo](assets/img/email/mini/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/mini/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](https://anonaddy.com/)
 - ![SimpleLogin logo](assets/img/email/mini/simplelogin.svg){ .twemoji } [SimpleLogin](https://simplelogin.io/)
+- ![AnonAddy logo](assets/img/email/mini/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/mini/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](https://anonaddy.com/)
 
 </div>
 
+[Learn more :material-arrow-right:](email.md#email-aliasing-services)
+
 **Self-Hosting Email:**
 
 <div class="grid cards" markdown>
@@ -149,7 +157,7 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 </div>
 
-[Learn more :material-arrow-right:](email.md)
+[Learn more :material-arrow-right:](email.md#self-hosting-email)
 
 ### Search Engines
 
@@ -252,6 +260,8 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 </div>
 
+[Learn more :material-arrow-right:](encryption.md#openpgp)
+
 **OpenPGP Clients:**
 
 <div class="grid cards" markdown>

docs/video-streaming.en.md

@@ -28,7 +28,7 @@ The primary threat when using a video streaming platform is that your streaming
 
 !!! Warning
 
-    When using FreeTube, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io), or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](threat-modeling.md) requires hiding your IP address.
+    When using FreeTube, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io), or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address.
 
 ### LBRY
 
@@ -55,7 +55,7 @@ The primary threat when using a video streaming platform is that your streaming
 
 !!! warning
 
-    While watching and hosting videos, your IP address is visible to the LBRY network. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](threat-modeling) requires hiding your IP address.
+    While watching and hosting videos, your IP address is visible to the LBRY network. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address.
 
 We recommend **against** synchronizing your wallet with LBRY Inc., as synchronizing encrypted wallets is not supported yet. If you synchronize your wallet with LBRY Inc., you have to trust them to not look at your subscription list, [LBC](https://lbry.com/faq/earn-credits) funds, or take control of your channel.
 

includes/abbreviations.en.md

@@ -12,10 +12,12 @@
 *[DoT]: DNS over TLS
 *[E2EE]: End-to-End Encryption/Encrypted
 *[ECS]: EDNS Client Subnet
+*[EEA]: European Economic Area
 *[EOL]: End-of-Life
 *[Exif]: Exchangeable image file format
 *[FDE]: Full Disk Encryption
 *[FIDO]: Fast IDentity Online
+*[GDPR]: General Data Protection Regulation
 *[GPG]: GNU Privacy Guard (PGP implementation)
 *[GPS]: Global Positioning System
 *[GUI]: Graphical User Interface
@@ -73,3 +75,4 @@
 *[cgroups]: Control Groups
 *[fork]: In software development, a fork is created when developers take a copy of source code from one software package and start independent development on it, creating a distinct and separate piece of software.
 *[rolling release]: An update release cycle in which updates are released very frequently, instead of at set intervals.
+*[walled garden]: A walled garden (or closed platform) is one in which the service provider has control over applications, content, and/or media, and restricts convenient access to non-approved applicants or content.

mkdocs.yml

@@ -139,9 +139,10 @@ nav:
   - Home: 'index.md'
   - 'Knowledge Base':
     - 'The Basics':
-      - 'threat-modeling.md'
-      - 'technology/dns.md'
-      - 'security/multi-factor-authentication.md'
+      - 'basics/threat-modeling.md'
+      - 'basics/dns.md'
+      - 'basics/multi-factor-authentication.md'
+      - 'basics/account-deletion.md'
     - 'Android':
       - 'android/overview.md'
       - 'android/grapheneos-vs-calyxos.md'

theme/.icons/pg/textformat-size.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 89 57"><path d="M45.767 57.018c1.14 0 2.035-.253 2.686-.757.651-.505 1.188-1.36 1.611-2.564l4.444-12.402h21.777l4.443 12.402c.424 1.205.96 2.06 1.612 2.564.65.504 1.546.757 2.685.757 1.14 0 2.06-.326 2.76-.977.699-.651 1.049-1.53 1.049-2.637 0-.683-.163-1.465-.488-2.344L71.06 4.527C70.05 1.825 68.163.475 65.395.475c-2.734 0-4.59 1.35-5.566 4.052L42.545 51.11c-.326.88-.488 1.66-.488 2.344 0 1.107.333 1.978 1 2.612.668.635 1.571.953 2.71.953Zm10.84-22.315 8.643-24.512h.244l8.643 24.512h-17.53ZM4.46 57.018c.911 0 1.668-.245 2.27-.733.603-.488 1.066-1.27 1.392-2.344l2.734-8.447h14.453l2.735 8.447c.358 1.107.846 1.897 1.465 2.369.618.472 1.367.708 2.246.708 1.107 0 1.994-.31 2.661-.928.667-.619 1-1.432 1-2.442 0-.423-.048-.846-.145-1.27a11.847 11.847 0 0 0-.391-1.318l-11.28-30.322c-.52-1.367-1.245-2.392-2.172-3.076-.928-.683-2.043-1.025-3.345-1.025-1.27 0-2.368.333-3.296 1-.928.668-1.636 1.702-2.124 3.101L1.334 51.06a7.306 7.306 0 0 0-.488 2.588c0 1.01.325 1.823.976 2.442.651.618 1.53.928 2.637.928Zm8.3-17.14 4.786-15.038h1.074l4.834 15.039H12.76Z"/></svg>

theme/overrides/home.en.html

@@ -1,6 +1,11 @@
 {% extends "base.html" %}
 {% block extrahead %}
   <link rel="stylesheet" href="{{ 'overrides/home.css' | url }}">
+  <link rel="me" href="https://aragon.sh/@jonah">
+  <link rel="me" href="https://fosstodon.org/@freddy">
+  <link rel="me" href="https://mastodon.social/@dngray">
+  <link rel="me" href="https://mastodon.social/@blacklight447">
+  <link rel="me" href="https://fosstodon.org/@hook54321">
 {% endblock %}
 {% block tabs %}
   {{ super() }}