Add online services and donation information (#1110 )

Fix broken PR preview teardowns
Plausible analytics (#1112 )
2025-07-03 18:12:41 +00:00 · 2022-04-26 23:15:21 -05:00 · 2022-04-26 23:13:24 -05:00 · 2022-04-26 21:52:59 -05:00 · 2022-04-26 21:52:13 -05:00 · 2022-04-26 13:53:02 -05:00
53 changed files with 441 additions and 450 deletions
--- a/.github/workflows/crowdin.yml
+++ b/.github/workflows/crowdin.yml
@ -1,4 +1,4 @@
-name: Crowdin Upload
+name: 💬 Crowdin Upload

 on:
  push:
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@ -1,4 +1,5 @@
-name: Deploy Website
+name: 📦 Deploy Website
+
 on:
  workflow_dispatch:
  release:
--- a/.github/workflows/preview.yml
+++ b/.github/workflows/preview.yml
@ -0,0 +1,40 @@
+name: 🔂 Surge PR Preview
+
+on:
+  pull_request_target:
+    types: [opened, synchronize, reopened]
+
+jobs:
+  preview:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+      contents: write
+    environment: preview
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: '0'
+          ref: ${{github.event.pull_request.head.ref}}
+          repository: ${{github.event.pull_request.head.repo.full_name}}
+          ssh-key: ${{ secrets.ACTIONS_SSH_KEY }}
+          submodules: 'true'
+
+      - name: Set up Python runtime
+        uses: actions/setup-python@v3
+        with:
+          python-version: '3.7'
+
+      - name: Deploy to surge.sh
+        uses: afc163/surge-preview@v1
+        with:
+          surge_token: ${{ secrets.SURGE_TOKEN }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          dist: site
+          failOnError: 'true'
+          build: |
+            pip install pipenv
+            pipenv install
+            pipenv run mkdocs build
--- a/3
+++ b/3
@ -8,9 +8,10 @@ mkdocs = "*"
 mkdocs-material = {path = "./mkdocs-material"}
 mkdocs-static-i18n = "*"
 mkdocs-git-revision-date-localized-plugin = "*"
+typing-extensions = "*"

 [dev-packages]
 scour = "*"

 [requires]
-python_version = "3.8"
+python_version = "3.7"
--- a/Pipfile.lock
+++ b/Pipfile.lock
@ -1,11 +1,11 @@
 {
    "_meta": {
        "hash": {
-            "sha256": "417ce9a8799680d98bc8933ac6f592b68dda2e97429d2671290c112bdba09d91"
+            "sha256": "2d68765ce86bf264f0a29d6b9f31202a71615d6aad4653cffc874bd095267d29"
        },
        "pipfile-spec": 6,
        "requires": {
-            "python_version": "3.8"
+            "python_version": "3.7"
        },
        "sources": [
            {
@ -405,11 +405,11 @@
        },
        "pygments": {
            "hashes": [
-                "sha256:44238f1b60a76d78fc8ca0528ee429702aae011c265fe6a8dd8b63049ae41c65",
-                "sha256:4e426f72023d88d03b2fa258de560726ce890ff3b630f88c21cbb8b2503b8c6a"
+                "sha256:5eb116118f9612ff1ee89ac96437bb6b49e8f04d8a13b514ba26f620208e26eb",
+                "sha256:dc9c10fb40944260f6ed4c688ece0cd2048414940f1cea51b8b226318411c519"
            ],
-            "markers": "python_version >= '3.5'",
-            "version": "==2.11.2"
+            "markers": "python_version >= '3.6'",
+            "version": "==2.12.0"
        },
        "pymdown-extensions": {
            "hashes": [
@ -521,6 +521,14 @@
            "markers": "python_version >= '3.6'",
            "version": "==1.1.1"
        },
+        "typing-extensions": {
+            "hashes": [
+                "sha256:6657594ee297170d19f67d55c05852a874e7eb634f4f753dbd667855e07c1708",
+                "sha256:f1c24655a0da0d1b67f07e17a5e6b2a105894e6824b92096378bb3668ef02376"
+            ],
+            "index": "pypi",
+            "version": "==4.2.0"
+        },
        "urllib3": {
            "hashes": [
                "sha256:44ece4d53fb1706f667c9bd1c648f5469a2ec925fcf3a776667042d645472c14",
--- a/README.md
+++ b/README.md
@ -62,9 +62,9 @@ Our current list of team members can be found [here](https://github.com/orgs/pri
 3. Install **pipenv**: `pip install pipenv`
 4. Start a pipenv shell: `pipenv shell`
 5. Install dependencies: `pipenv install --dev`
-6. Serve the site locally: `mkdocs serve --config-file mkdocs.production.yml`
+6. Serve the site locally: `mkdocs serve`
    - The site will be available at `http://localhost:8000`
-    - You can build the site locally with `mkdocs build --config-file mkdocs.production.yml`
+    - You can build the site locally with `mkdocs build`
    - This version of the site should be identical to the live, production version

 ## Releasing
--- a/docs/about.en.md
+++ b/docs/about.en.md
@ -1,6 +1,5 @@
 ---
 title: "About Privacy Guides"
-icon: pg/privacyguides
 ---

 **Privacy Guides** is a socially motivated website that provides information for protecting your data security and privacy. We are a non-profit collective operated entirely by volunteer team members and contributors.
--- a/docs/about/donate.en.md
+++ b/docs/about/donate.en.md
@ -0,0 +1,37 @@
+---
+title: Donation Methods
+---
+<!-- markdownlint-disable MD036 -->
+:heart: Thank you for supporting Privacy Guides.
+
+It takes a lot of [people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) and [work](https://github.com/privacyguides/privacyguides.org/pulse/monthly) to keep Privacy Guides up to date and spreading the word about privacy and mass surveillance. If you like what we do, the best way to help out is by getting involved by [editing the site](https://github.com/privacyguides/privacyguides.org) or [contributing translations](https://crowdin.com/project/privacyguides).
+
+If you want to support us financially, the most convenient method for us is contributing via Open Collective, a website operated by our fiscal host. Open Collective accepts payments via credit/debit card, PayPal, and bank transfers.
+
+[Donate on OpenCollective.com](https://opencollective.com/privacyguides/donate){ .md-button .md-button--primary }
+
+Donations made directly to us Open Collective are generally tax-deductible in the US, because our fiscal host (the Open Collective Foundation) is a registered 501(c)3 organization. You will receive a receipt from the Open Collective Foundation after donating. Privacy Guides does not provide financial advice, and you should contact your tax advisor to find out whether this is applicable to you.
+
+If you already make use of GitHub sponsorships, you can also sponsor our organization there.
+
+[Sponsor us on GitHub](https://github.com/sponsors/privacyguides){ .md-button }
+
+Privacy Guides is a **non-profit** organization. We use donations for a variety of purposes, including:
+
+**Domain Registrations**
+
+:   We have a few domain names like `privacyguides.org` which cost us around $10 yearly to maintain their registration.
+
+**Web Hosting**
+
+:   Traffic to this website uses hundreds of gigabytes of data per month, we use a variety of service providers to keep up with this traffic.
+
+**Online Services**
+
+:   We host [internet services](https://privacyguides.net) for testing and showcasing different privacy-products we like and [recommend](../tools.md). Some of which are made publicly available for our community's use (searx, tor, etc.), and some are provided for our team members (email, etc.).
+
+**Product Purchases**
+
+:   We occasionally purchase products and services for the purposes of testing our [recommended tools](../tools.md).
+
+We are still working with our fiscal host (the Open Collective Foundation) to receive cryptocurrency donations, at the moment the accounting is unfeasible for many smaller transactions, but this should change in the future. In the meantime, if you wish to make a sizable (> $100) cryptocurrency donation please reach out to [jonah@privacyguides.org](mailto:).
--- a/docs/about/notices.en.md
+++ b/docs/about/notices.en.md
@ -1,6 +1,5 @@
 ---
 title: "Notices and Disclaimers"
-icon: material/message-alert
 hide:
    - toc
 ---
--- a/docs/about/privacy-policy.en.md
+++ b/docs/about/privacy-policy.en.md
@ -1,42 +1,24 @@
 ---
 title: "Privacy Policy"
-icon: material/file-search
 ---
-
-## Who is Privacy Guides?
-
 Privacy Guides is a community project operated by a number of active volunteer contributors. The public list of team members [can be found on GitHub](https://github.com/orgs/privacyguides/people).

-## How does Privacy Guides collect data about me?
+## Data We Collect From Visitors

-We collect data:
+The privacy of our website visitors is important to us, so we do not track any individual people. As a visitor to our website:

-* When you browse a website, forum, or other Privacy Guides service.
-* When you create an account on a Privacy Guides service.
-* When you post, send private messages, or otherwise participate on a Privacy Guides service.
+- No personal information is collected
+- No information such as cookies is stored in the browser
+- No information is shared with, sent to or sold to third-parties
+- No information is shared with advertising companies
+- No information is mined and harvested for personal and behavioral trends
+- No information is monetized

-This data will be collected regardless of browser, device, or app used to access our services. We do not buy or otherwise receive data from data brokers.
+We run a self-hosted version of [Plausible Analytics](https://plausible.io) to collect some anonymous usage data for statistical purposes. The goal is to track overall trends in our website traffic, it is not to track individual visitors. All the data is in aggregate only. No personal data is collected.

-## What data do you collect and why?
+Data collected includes referral sources, top pages, visit duration, information from the devices (device type, operating system, country and browser) used during the visit and more.

-### We collect data about visits to our websites
-
-When you visit a Privacy Guides website or service, regardless of whether you have an account or not, the website may use cookies, server logs, and other methods to collect the following data:
-
-* What pages you visit,
-* Your anonymized IP address: We anonymize the last 3 bytes of your IP, e.g. 192.xxx.xxx.xxx.
-
-We use this data to:
-
-* Optimize websites and services, so that they are quick and easy to use,
-* Diagnose and debug technical errors,
-* Defend websites and services from abuse and technical attacks.
-
-This data is processed under our [Legitimate Interest](https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/when-can-we-rely-on-legitimate-interests/) to provide our services to you in a an efficient and secure manner and to ensure the legal compliance and proper administration of our business.
-
-Raw data such as pages visited, anonymized visitor IPs, and visitor actions will be retained for 60 days. In special circumstances—such as extended investigations regarding a technical attack—we may preserve logged data for longer periods for analysis. We store aggregate statistics about use of the websites and services we host indefinitely, but those statistics do not include data identifiable to you personally.
-
-### We collect account data
+## Data We Collect From Account Holders

 On some websites and services we provide, many features may require an account. For example, an account may be required to post and reply to topics on a forum platform.

@ -46,47 +28,22 @@ We use your account data to identify you on the website and to create pages spec

 We use your email to:

-* Notify you about posts and other activity on the websites or services.
-* Reset your password and help keep your account secure.
-* Contact you in special circumstances related to your account.
-* Contact you about legal requests, such as DMCA takedown requests.
+- Notify you about posts and other activity on the websites or services.
+- Reset your password and help keep your account secure.
+- Contact you in special circumstances related to your account.
+- Contact you about legal requests, such as DMCA takedown requests.

 On some websites and services you may provide additional information for your account, such as a short biography, avatar, your location, or your birthday. We make that information available to everyone who can access the website or service in question. This information is not required to use any of our services and can be erased at any time.

 We will store your account data as long as your account remains open. After closing an account, we may retain some or all of your account data in the form of backups or archives for up to 90 days.

-## Who is my data shared with?
+## Contacting Us

-When you use services provided by Privacy Guides your data is processed by our web hosting provider, Aragon Ventures LLC, in order to facilitate their hosting obligations. Aragon Ventures LLC may collect and use your data as described in their privacy statement at [https://aragon.ventures/privacy](https://aragon.ventures/privacy/).
-
-Your account data, posts, and other activities on Privacy Guides services is shared with others as mentioned in the section about account data.
-
-## Where is my data stored?
-
-The primary datacenter for Privacy Guides is located in Finland. Some websites, services, or backups may reside in datacenters in multiple jurisdictions, including the United States and the European Union.
-
-## Is Privacy Guides GDPR compliant?
-
-We respect privacy rights under [Regulation (EU) 2016/679](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG), the European Union’s General Data Protection Regulation (GDPR). Information that GDPR requires us to give can be found throughout this document.
-
-## What are my data protection rights?
-
-We would like to make sure you are fully aware of all of your data protection rights. Every user is entitled to the following:
-
-* **The right to access** – You have the right to request access to your personal data or copies of your personal data from us. We may charge you a small fee for providing a copy of your data.
-* **The right to rectification** – You have the right to request that we correct any information you believe is inaccurate or incomplete.
-* **The right to erasure** – You have the right to request that we erase your personal data, under certain conditions.
-* **The right to restrict processing** – You have the right to request that we restrict the processing of your personal data, under certain conditions.
-* **The right to object to processing** – You have the right to object to our processing of your personal data, under certain conditions.
-* **The right to data portability** – You have the right to request that we transfer the data that we have collected to another organization or directly to you under certain conditions.
-
-## How can I contact the Privacy Guides team about privacy?
-
-The Privacy Guides team generally does not have access to personal data outside of limited access granted via some moderation panels. Inquiries regarding your personal information should be sent directly to the data controller for these services, Aragon Ventures LLC:
+The Privacy Guides team generally does not have access to personal data outside of limited access granted via some moderation panels. Inquiries regarding your personal information should be sent directly to:

 ```
 Jonah Aragon
-Services Administrator, Aragon Ventures LLC
+Services Administrator
 jonah@privacyguides.org
 ```

@ -94,9 +51,7 @@ For all other inquiries, you can contact any member of our team.

 For complaints under GDPR more generally, European Union users may lodge complaints with their local data protection supervisory authorities.

-## How can I find out about changes to this document?
-
-This version of our privacy statement took effect April 4th, 2022.
+## About This Policy

 We will post any new versions of this statement [here](privacy-policy.en.md). We may change how we announce changes in future versions of this document. In the meantime we may update our contact information at any time without announcing a change. Please refer to the [Privacy Policy](privacy-policy.en.md) for the latest contact information at any time.

--- a/docs/android.en.md
+++ b/docs/android.en.md
@ -10,7 +10,7 @@ These are the Android operating systems, devices, and apps we recommend to maxim

 ## AOSP Derivatives

-Generally speaking we recommend installing one of these custom Android operating systems on your device, listed in order of preference, depending on your device's compatibility with these operating systems. If you are unable to run any of the following operating systems on your device, you are likely going to be best off sticking with your stock Android installation (as opposed to an operating system not listed here such as LineageOS), but we would recommend upgrading to a new device if at all possible.
+We recommend installing one of these custom Android operating systems on your device, listed in order of preference, depending on your device's compatibility with these operating systems.

 !!! note

@ -27,11 +27,11 @@ Generally speaking we recommend installing one of these custom Android operating

    GrapheneOS provides additional [security hardening](https://en.wikipedia.org/wiki/Hardening_(computing)) and privacy improvements. It has a [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), network and sensor permissions, and various other [security features](https://grapheneos.org/features). GrapheneOS also comes with full firmware updates and signed builds, so verified boot is fully supported.

-    [Visit grapheneos.org](https://grapheneos.org/){ .md-button .md-button--primary } [Privacy Policy](https://grapheneos.org/faq#privacy-policy){ .md-button }
+    [Homepage](https://grapheneos.org/){ .md-button .md-button--primary } [Privacy Policy](https://grapheneos.org/faq#privacy-policy){ .md-button }

-Notably, GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play). Google Play Services can be run fully sandboxed like a regular user app and contained in a work profile or user [profile](#android-security-privacy) of your choice. This means that you can run apps dependant on Play Services, such as those that require push notifications using Google's [Firebase Cloud Messaging](https://firebase.google.com/docs/cloud-messaging/) service. GrapheneOS allows you to take advantage of most [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) whilst having full user control over their permissions and access.
+GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), which runs [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) fully sandboxed like a regular user app. This means you can take advantage of most Google Play Services, such as [push notifications](https://firebase.google.com/docs/cloud-messaging/), while having full user control over their permissions and access, and while containing them to a specific work profile or user [profile](android/overview.md#user-profiles) of your choice.

-Currently, only [Pixel phones](https://grapheneos.org/faq#device-support) meet its hardware security requirement and are supported.
+Google Pixel phones are the only devices that currently meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#device-support).

 ### CalyxOS

@ -41,11 +41,11 @@ Currently, only [Pixel phones](https://grapheneos.org/faq#device-support) meet i

    **CalyxOS** is a system with some privacy features on top of AOSP, including [Datura](https://calyxos.org/docs/tech/datura-details) firewall, [Signal](https://signal.org) integration in the dialer app, and a built in panic button. CalyxOS also comes with firmware updates and signed builds, so verified boot is fully supported.

-    [Visit calyxos.org](https://calyxos.org/){ .md-button .md-button--primary } [Privacy Policy](https://calyxinstitute.org/legal/privacy-policy){ .md-button }
+    [Homepage](https://calyxos.org/){ .md-button .md-button--primary } [Privacy Policy](https://calyxinstitute.org/legal/privacy-policy){ .md-button }

-To accomodate users who need Google Play Services, CalyxOS optionally includes [MicroG](https://microg.org/). With MicroG, CalyxOS also bundles in the [Mozilla](https://location.services.mozilla.com/) and [DejaVu](https://github.com/n76/DejaVu) location services.
+To accomodate users who need Google Play Services, CalyxOS optionally includes [microG](https://microg.org/). CalyxOS also includes alternate location services, [Mozilla](https://location.services.mozilla.com/) and [DejaVu](https://github.com/n76/DejaVu).

-Currently, CalyxOS only supports [Pixel phones](https://calyxos.org/docs/guide/device-support/).
+CalyxOS only [supports](https://calyxos.org/docs/guide/device-support/) Google Pixel phones. However, support for the OnePlus 8T/9 and Fairphone 4 is [currently in beta](https://calyxos.org/news/2022/04/01/fairphone4-oneplus8t-oneplus9-test-builds/).

 ### DivestOS

@ -53,20 +53,20 @@ Currently, CalyxOS only supports [Pixel phones](https://calyxos.org/docs/guide/d

    ![DivestOS logo](assets/img/android/divestos.svg){ align=right }

-    **DivestOS** is a [soft-fork](https://en.wikipedia.org/wiki/Fork_(software_development)#Forking_of_free_and_open-source_software) of [LineageOS](https://lineageos.org/).
+    **DivestOS** is a soft-fork of [LineageOS](https://lineageos.org/).
    DivestOS inherits many [supported devices](https://divestos.org/index.php?page=devices&base=LineageOS) from LineageOS. It has signed builds, making it possible to have [verified boot](https://source.android.com/security/verifiedboot) on some non-Pixel devices.

-    [Visit divestos.org](https://divestos.org){ .md-button .md-button--primary } [Privacy Policy](https://divestos.org/index.php?page=privacy_policy){ .md-button }
+    [Homepage](https://divestos.org){ .md-button .md-button--primary } [Privacy Policy](https://divestos.org/index.php?page=privacy_policy){ .md-button }

 DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, a custom [hosts](https://divested.dev/index.php?page=dnsbl) file, and [F-Droid](https://www.f-droid.org) as the app store. It includes [UnifiedNlp](https://github.com/microg/UnifiedNlp) for network location. Its hardened WebView, [Mulch](https://gitlab.com/divested-mobile/mulch), enables [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) for all architectures and includes [network state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning).

 DivestOS also includes kernel patches from GrapheneOS and enables all available kernel security features via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). All kernels newer than version 3.4 include full page [sanitization](https://lwn.net/Articles/334747/) and all ~22 Clang-compiled kernels have [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) enabled.

-DivestOS 16.0, 17.1, and 18.1 implements GrapheneOS's [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) permission toggle, [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](#additional-hardening), [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), and partial [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) hardening patchsets. 17.1 and 18.1 feature GrapheneOS's per-network full [MAC randomization](https://en.wikipedia.org/wiki/MAC_address#Randomization) option, and [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, and automatic reboot/Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features). All branches additionally have various miscellaneous patches courtesy of GrapheneOS.
+DivestOS implements some system hardening patches originally developed for GrapheneOS. DivestOS 16.0, 17.1, and 18.1 implements GrapheneOS's [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) permission toggle, [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](android/grapheneos-vs-calyxos.md#additional-hardening), [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), and partial [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) hardening patchsets. 17.1 and 18.1 feature GrapheneOS's per-network full [MAC randomization](https://en.wikipedia.org/wiki/MAC_address#Randomization) option, and [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, and automatic reboot/Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features).

 !!! attention

-    DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) varies across the devices it supports. For Pixel phones, we still recommend using GrapheneOS or CalyxOS. For other supported devices, DivestOS is a good alternative.
+    DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) and quality control varies across the devices it supports. We still recommend GrapheneOS or CalyxOS depending on your device's compatibility. For other devices, DivestOS is a good alternative.

    Not all of the supported devices have verified boot, and some perform it better than others.

@ -92,36 +92,34 @@ A few more tips regarding Android devices and operating system compatibility:

    Beginning with the **Pixel 6** and **6 Pro**, Pixel devices receive a minimum of 5 years of guaranteed security updates, ensuring a much longer lifespan compared to the 2-4 years competing OEMs typically offer.

-    [Visit store.google.com](https://store.google.com/category/phones){ .md-button .md-button--primary }
+    [Store](https://store.google.com/category/phones){ .md-button .md-button--primary }

-Unless you know you have a specific need for [CalyxOS/microG features](https://calyxos.org/features/) that are unavailable on GrapheneOS, we strongly recommend GrapheneOS over other operating system choices on Pixel devices.
-
-[More about GrapheneOS vs CalyxOS](android/grapheneos-vs-calyxos.md){ .md-button }
+Unless you have a need for specific [CalyxOS features](https://calyxos.org/features/) that are unavailable on GrapheneOS, we strongly recommend GrapheneOS over other operating system choices on Pixel devices.

 The installation of GrapheneOS on a Pixel phone is easy with their [web installer](https://grapheneos.org/install/web). If you don't feel comfortable doing it yourself and are willing to spend a bit of extra money, check out the [NitroPhone](https://shop.nitrokey.com/shop) as they come preloaded with GrapheneOS from the reputable [Nitrokey](https://www.nitrokey.com/about) company.

 A few more tips for purchasing a Google Pixel:

 - If you're after a bargain on a Pixel device, we suggest buying an "**a**" model, just after the next flagship is released. Discounts are usually available because Google will be trying to clear their stock.
- Consider price beating options and specials offered at [brick and mortar](https://en.wikipedia.org/wiki/Brick_and_mortar) stores.
+- Consider price beating options and specials offered at brick and mortar stores.
 - Look at online community bargain sites in your country. These can alert you to good sales.
- Google provides a list showing the [support cycle](https://support.google.com/nexus/answer/4457705) for each one of their devices. The price per day for a device can be calculated as: $\text{Cost} \over \text {EoL Date }-\text{ Current Date}$, meaning that the longer use of the device the lower cost per day.
+- Google provides a list showing the [support cycle](https://support.google.com/nexus/answer/4457705) for each one of their devices. The price per day for a device can be calculated as: $\text{Cost} \over \text {EOL Date }-\text{ Current Date}$, meaning that the longer use of the device the lower cost per day.

 ### Other Devices

 !!! important

-    Google Pixel phones are the only devices which are fully supported by all of our recommended Android distributions. Additionally, Pixel devices have stronger hardware security than any other Android device currently on the market, due to Google's custom Titan security chips acting as the Secure Element for secrets storage and rate limiting. Secure Elements are more limited and have a smaller attack surface than the Trusted Execution Environment used by most other phones, which is also used to run "trusted" programs. Phones without a Secure Element have to use the TEE for secrets storage, rate limiting, *and* trusted computing."
+    Google Pixel phones are the **only** devices we recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third party operating systems and Google's custom [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) security chips acting as the Secure Element.

-If you are unable to purchase a Pixel device, any device which is supported by CalyxOS should be reasonably secure and private enough for most users after installing CalyxOS.
+    Secure Elements are more limited than the processor's Trusted Execution Environment used by most other phones as they are only used for secrets storage, hardware attestation and rate limiting but not running "trusted" programs. Phones without a Secure Element have to use the TEE for secrets storage, rate limiting, *and* trusted computing, which results in a larger attack surface.

-In any case, when purchasing a device we recommend getting one as new as possible. The software and firmware of mobile devices are only supported for a limited time, so buying new extends that lifespan as much as possible. 
+    The following OEMs are only mentioned as they have phones compatible with the operating systems recommended by us. If you are purchasing a new device, we only recommend purchasing a Google Pixel.

-We do not recommend the following devices over a Google Pixel device, but we do have some notes on devices from other manufacturers:
+When purchasing a device, we recommend getting one as new as possible. The software and firmware of mobile devices are only supported for a limited time, so buying new extends that lifespan as much as possible.

 #### OnePlus

-If you are unable to obtain a Google Pixel, recent OnePlus devices provide a good balance of security with custom operating systems and longevity, with OnePlus 8 and later devices receiving 4 years of security updates. CalyxOS has [experimental support](https://calyxos.org/news/2022/04/01/fairphone4-oneplus8t-oneplus9-test-builds/) for the **OnePlus 8T** and **9**.
+If you are unable to obtain a Google Pixel, recent OnePlus devices are the next best option if you want to run a custom OS without privileged Play Services. OnePlus 8 and later devices will receive 4 years of security updates from their initial launch date. CalyxOS has [experimental support](https://calyxos.org/news/2022/04/01/fairphone4-oneplus8t-oneplus9-test-builds/) for the **OnePlus 8T** and **9**.

 DivestOS has support for most OnePlus devices up to the **OnePlus 7T Pro**, with varying levels of support.

@ -129,13 +127,13 @@ DivestOS has support for most OnePlus devices up to the **OnePlus 7T Pro**, with

 !!! danger

-    The Fairphone by default is not secure as the [stock bootloader trusts the public AVB signing key](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11), meaning any system can be installed and the phone will trust it as if it is the stock system. This essentially breaks verified boot on a stock Fairphone device.
+    The Fairphone 3 and 4 are not secure by default, as the [stock bootloader trusts the public AVB signing key](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11). This breaks verified boot on a stock Fairphone device, as the system will boot alternative Android operating systems such (such as /e/) [without any warning](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) about custom operating system usage.

-    This problem is solved when you install a custom operating system such as CalyxOS or DivestOS and trust the developer's signing keys rather than the stock system's. To reiterate, **you must install a custom operating system with custom boot keys to use Fairphone devices in a secure manner.**
+    This problem is somewhat mitigated when you install a custom operating system such as CalyxOS or DivestOS and trust the developer's signing keys rather than the stock system keys, however a vulnerability in CalyxOS or DivestOS's recovery environments could still potentially allow an attacker to bypass AVB. **To reiterate, you must install a custom operating system with custom boot keys to use Fairphone devices in a secure manner.**

 CalyxOS has [experimental support](https://calyxos.org/news/2022/04/01/fairphone4-oneplus8t-oneplus9-test-builds/) for the **Fairphone 4**. DivestOS has builds available for the **Fairphone 3**.

-While Fairphone markets their devices as receiving 6 years of support, the SOC (Qualcomm Snapdragon 750G on the Fairphone 4) has a considerably sooner EOL date. This means that firmware security updates from Qualcomm for the Fairphone 4 will end in September 2023, regardless of whether Fairphone continues to release software security updates.
+Fairphone markets their devices as receiving 6 years of support. However, the SoC (Qualcomm Snapdragon 750G on the Fairphone 4) has a considerably shorter EOL date. This means that firmware security updates from Qualcomm for the Fairphone 4 will end in September 2023, regardless of whether Fairphone continues to release software security updates.

 ## General Apps

@ -147,7 +145,7 @@ While Fairphone markets their devices as receiving 6 years of support, the SOC (

    **Orbot** is a free proxy app that routes your connections through the Tor Network.

-    [Visit orbot.app](https://orbot.app/){ .md-button .md-button--primary }
+    [Homepage](https://orbot.app/){ .md-button .md-button--primary }

    ??? downloads

@ -156,11 +154,11 @@ While Fairphone markets their devices as receiving 6 years of support, the SOC (
        - [:fontawesome-brands-github: GitHub](https://github.com/guardianproject/orbot)
        - [:fontawesome-brands-gitlab: GitLab](https://gitlab.com/guardianproject/orbot)

-Orbot can proxy individual apps if they support SOCKS or HTTP proxying. It can also proxy all your network connections using [VpnService](https://developer.android.com/reference/android/net/VpnService) and can be used with the VPN killswitch (:gear: Settings → Network & internet → VPN → :gear: → Block connections without VPN).
+Orbot can proxy individual apps if they support SOCKS or HTTP proxying. It can also proxy all your network connections using [VpnService](https://developer.android.com/reference/android/net/VpnService) and can be used with the VPN killswitch in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**.

-For resistance against traffic analysis attacks, consider enabling *Isolate Destination Address* ( :material-menu: →Settings → Connectivity). This will use a completely different Tor Circuit (different middle relay and exit nodes) for every domain you connect to.
+For resistance against traffic analysis attacks, consider enabling *Isolate Destination Address* in :material-menu: → **Settings** → **Connectivity**. This will use a completely different Tor Circuit (different middle relay and exit nodes) for every domain you connect to.

-!!! attention
+!!! tip

    Orbot is often outdated on the Guardian Project's [F-Droid repository](https://guardianproject.info/fdroid) and [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) so consider downloading directly from the [GitHub repository](https://github.com/guardianproject/orbot) instead.

@ -176,14 +174,13 @@ For resistance against traffic analysis attacks, consider enabling *Isolate Dest

    Shelter supports blocking contact search cross profiles and sharing files across profiles via the default file manager ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)).

-    [Visit gitea.angry.im](https://gitea.angry.im/PeterCxy/Shelter){ .md-button .md-button--primary }
+    [Project Info](https://gitea.angry.im/PeterCxy/Shelter#shelter){ .md-button .md-button--primary }

    ??? downloads

        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter)
        - [:pg-f-droid: F-Droid](https://f-droid.org/en/packages/net.typeblog.shelter)
        - [:fontawesome-brands-github: GitHub](https://github.com/PeterCxy/Shelter)
-        - [:fontawesome-brands-git-alt: Source](https://gitea.angry.im/PeterCxy/Shelter)

 !!! attention

@ -202,7 +199,7 @@ For resistance against traffic analysis attacks, consider enabling *Isolate Dest

    **Auditor** is an app which leverages hardware security features to provide device integrity monitoring for [supported devices](https://attestation.app/about#device-support). Currently it works with GrapheneOS and the device's stock operating system.

-    [Visit attestation.app](https://attestation.app){ .md-button .md-button--primary }
+    [Website](https://attestation.app){ .md-button .md-button--primary }

    ??? downloads

@ -231,7 +228,7 @@ To make sure that your hardware and operating system is genuine, [perform local

      **Secure Camera** is an camera app focused on privacy and security which can capture images, videos, and QR codes. CameraX vendor extensions (Portrait, HDR, Night Sight, Face Retouch, and Auto) are also supported on available devices.

-    [Visit github.com](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary }
+    [Source Code](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary }

    ??? downloads

@ -261,7 +258,7 @@ Main privacy features include:

    [Content-Security-Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) is used to enforce that the JavaScript and styling properties within the WebView are entirely static content.

-    [Visit github.com](https://github.com/GrapheneOS/PdfViewer){ .md-button .md-button--primary }
+    [App Info](https://github.com/GrapheneOS/PdfViewer#readme){ .md-button .md-button--primary }

    ??? downloads

@ -276,7 +273,7 @@ Main privacy features include:

    **PrivacyBlur** is a free app which can blur sensitive portions of pictures before sharing them online.

-    [Visit privacyblur.app](https://privacyblur.app/){ .md-button .md-button--primary }
+    [Website](https://privacyblur.app/){ .md-button .md-button--primary }

    ??? downloads

@ -300,7 +297,9 @@ The Google Play Store requires a Google account to login which is not great for

 ### F-Droid

-F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third party repositories and not be confined to Google's [walled garden](https://en.wikipedia.org/wiki/Closed_platform) has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications, and is dedicated to free and open source software. However, there are problems with the official F-Droid client, their quality control, and how they build, sign and deliver packages, outlined in this [post](https://wonderfall.dev/fdroid-issues/).
+F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third party repositories and not be confined to Google's walled garden has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications, and is dedicated to free and open source software. However, there are problems with the official F-Droid client, their quality control, and how they build, sign and deliver packages, outlined in this [post](https://wonderfall.dev/fdroid-issues/).
+
+*[walled garden]: A walled garden (or closed platform) is one in which the service provider has control over applications, content, and/or media, and restricts convenient access to non-approved applicants or content.

 Sometimes the official F-Droid repository may fall behind on updates. F-Droid maintainers reuse package IDs while signing apps with their own keys, which is not ideal as it does give the F-Droid team ultimate trust. The Google Play version of some apps may contain unwanted telemetry or lack features that are available in the F-Droid version.

--- a/docs/android/grapheneos-vs-calyxos.en.md
+++ b/docs/android/grapheneos-vs-calyxos.en.md
@ -6,17 +6,25 @@ icon: 'material/cellphone-cog'

 CalyxOS includes a device controller app so there is no need to install a third party app like Shelter.

-GrapheneOS extends the user profile feature allowing a user to press an "End Session" button. This button clears the encryption key from memory. There are plans to add a [cross profile notifications system](https://github.com/GrapheneOS/os-issue-tracker/issues/88) in the future. GrapheneOS plans to introduce nested profile support with better isolation in the future.
+GrapheneOS extends the user profile feature, allowing you to end a current session. To do this, select *End Session* which will clear the encryption key from memory. There are plans to add a [cross profile notifications system](https://github.com/GrapheneOS/os-issue-tracker/issues/88) in the future. GrapheneOS plans to introduce nested profile support with better isolation in the future.

-## Sandboxed Google Play vs Privileged MicroG
+## Sandboxed Google Play vs Privileged microG

 When Google Play services are used on GrapheneOS, they run as a user app and are contained within a user or work profile.

 Sandboxed Google Play is confined using the highly restrictive, default [`untrusted_app`](https://source.android.com/security/selinux/concepts) domain provided by [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux). Permissions for apps to use Google Play Services can be revoked at any time by the user.

-MicroG is a reimplementation of Google Play Services. This means it needs to be updated every time Android has a major version update (or the Android API changes). It also needs to run in the highly privileged [`system_app`](https://source.android.com/security/selinux/concepts) SELinux domain like normal Google Play Services and requires access to [signature spoofing](https://madaidans-insecurities.github.io/android.html#microg-signature-spoofing) so this is less secure than the Sandboxed Google Play approach. We do not believe MicroG provides any privacy advantages over Sandboxed Google Play except for the option to *shift trust* of the location backend from Google to another provider such as Mozilla or DejaVu.
+microG is an open-source re-implementation of Google Play Services. This means it needs to be updated every time Android has a major version update (or the Android API changes). It also needs to run in the highly privileged [`system_app`](https://source.android.com/security/selinux/concepts) SELinux domain like regular Google Play Services, and it requires an operating system that allows [signature spoofing](https://github.com/microg/GmsCore/wiki/Signature-Spoofing), which allows system apps to insecurely masquerade as other apps. This is less secure than Sandboxed Google Play's approach, which does not need access to sensitive system APIs.

-From a usability point of view, Sandboxed Google Play also works well with far more applications than MicroG, thanks to its support for services like [Google Play Games](https://play.google.com/googleplaygames) and [In-app Billing API](https://android-doc.github.io/google/play/billing/api.html).
+When using Sandboxed Play Services, you have the option to reroute location requests to the Play Services API back to the OS location API which uses satellite based location services. With microG, you have the option to either not use a network location backend at all, *shift trust* to another location backend like Mozilla, or use [DejaVu](https://github.com/n76/DejaVu), a location backend that locally collects and saves RF-based location data to an offline database which can be used when GPS is not available.
+
+Network location providers like Play Services or Mozilla rely the on the MAC addresses of surrounding WiFi access points and Bluetooth devices being submitted for location approximation. Choosing a network location like Mozilla to use with microG provides little to no privacy benefit over Google because you are still submitting the same data and trusting them to not profile you.
+
+Local RF location backends like DejaVu require that the phone has a working GPS first for the local RF data collected to be useful. This makes them ineffective as location providers, as the job of a location provider is to assist location approximation when satellite based services are not working.
+
+If your threat model requires protecting your location or the MAC addresses of nearby devices, rerouting location requests to the OS location API is probably the best option. The benefit brought by microG's custom location backend is minimal at best when compared to Sandboxed Play Services.
+
+In terms of application compatibility, Sandboxed Google Play outperforms microG due to its support for many services which microG has not yet implemented, like [Google Play Games](https://play.google.com/googleplaygames) and [In-app Billing API](https://android-doc.github.io/google/play/billing/api.html). Authentication using [FIDO](security/multi-factor-authentication#fido-fast-identity-online) with online services on Android also relies on Play Services, and the feature is not yet implemented in microG.

 ## Privileged App Extensions

--- a/docs/android/overview.en.md
+++ b/docs/android/overview.en.md
@ -6,17 +6,17 @@ Android is a secure operating system that has strong [app sandboxing](https://so

 ## Choosing an Android Distribution

-When you buy an Android phone, the device's default operating system often comes with invasive integration with apps and services which are not part of the [Android Open Source Project](https://source.android.com/). An example of such is Google Play Services, which has unrevokable privileges to access your files, contacts storage, call logs, SMS messages, location, camera, microphone, hardware identifiers, and so on. These apps and services increase the attack surface of your device and are the source of various privacy concerns with Android.
+When you buy an Android phone, the device's default operating system often comes with invasive integration with apps and services that are not part of the [Android Open Source Project](https://source.android.com/). An example of such is Google Play Services, which has unrevokable privileges to access your files, contacts storage, call logs, SMS messages, location, camera, microphone, hardware identifiers, and so on. These apps and services increase the attack surface of your device and are the source of various privacy concerns with Android.

-This problem could be solved by using a custom Android distribution that does not come with such invasive integration. Unfortunately, many custom Android distributions often break the Android security model by not supporting critical security features such as AVB, rollback protection, firmware updates, and so on. Some distributions also ship with [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) builds which expose root via the [Android Debug Bridge](https://developer.android.com/studio/command-line/adb) (ADB) and requires [more permissive](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) SELinux policies to accomodate debugging features, resulting in a further increased attack surface and weakened security model.
+This problem could be solved by using a custom Android distribution that does not come with such invasive integration. Unfortunately, many custom Android distributions often violate the Android security model by not supporting critical security features such as AVB, rollback protection, firmware updates, and so on. Some distributions also ship [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) builds which expose root via [ADB](https://developer.android.com/studio/command-line/adb) and require [more permissive](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) SELinux policies to accomodate debugging features, resulting in a further increased attack surface and weakened security model.

-Ideally, when choosing a custom Android distribution, you should make sure that it upholds the Android security model. At the very least, the distribution should have production builds, support for AVB, rollback protection, timely firmware and operating system updates, and SELinux in enforcing mode. All of our recommended Android distributions satisfy these criteria.
+Ideally, when choosing a custom Android distribution, you should make sure that it upholds the Android security model. At the very least, the distribution should have production builds, support for AVB, rollback protection, timely firmware and operating system updates, and SELinux in [enforcing mode](https://source.android.com/security/selinux/concepts#enforcement_levels). All of our recommended Android distributions satisfy these criteria.

 [Our Android System Recommendations :material-arrow-right:](../android.md){ .md-button }

-## Avoid Root
+## Avoid Rooting

-[Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) Android phones can decrease security significantly as it weakens the complete [Android security model](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful Verified Boot. Apps that require root will also modify the system partition meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the [attack surface](https://en.wikipedia.org/wiki/Attack_surface) of your device and may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) vulnerabilities and [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux) policy bypasses.
+[Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) Android phones can decrease security significantly as it weakens the complete [Android security model](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful Verified Boot. Apps that require root will also modify the system partition meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the [attack surface](https://en.wikipedia.org/wiki/Attack_surface) of your device and may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) vulnerabilities and SELinux policy bypasses.

 Adblockers which modify the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway) and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For Adblocking we suggest encrypted [DNS](../dns.md) or [VPN](../vpn.md) server blocking solutions instead. RethinkDNS, TrackerControl and AdAway in non-root mode will take up the VPN slot (by using a local loopback VPN) preventing you from using privacy enhancing services such as Orbot or a real VPN server.

@ -24,13 +24,23 @@ AFWall+ works based on the [packet filtering](https://en.wikipedia.org/wiki/Fire

 We do not believe that the security sacrifices made by rooting a phone are worth the questionable privacy benefits of those apps.

+## Verified Boot
+
+[Verified Boot](https://source.android.com/security/verifiedboot) is an important part of the Android security model. It provides protection against [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attacks, malware persistence, and ensures security updates cannot be downgraded with [rollback protection](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection).
+
+Android 10 and above has moved away from full-disk encryption to more flexible [file-based encryption](https://source.android.com/security/encryption/file-based). Each user's data is encrypted using their own unique encryption key, and the operating system files are left unencrypted.
+
+Verified Boot ensures the integrity of the operating system files, thereby preventing an adversary with physical access from tampering or installing malware on the device. In the unlikely case that malware is able to exploit other parts of the system and gain higher privileged access, Verified Boot will prevent and revert changes to the system partition upon rebooting device.
+
+Unfortunately, OEMs are only obliged to support Verified Boot on their stock Android distribution. Only a few OEMs such as Google support custom AVB key enrollment on their devices. Additionally, some AOSP derivatives such as LineageOS or /e/ OS do not support Verified Boot even on hardware with Verified Boot support for third party operating systems. We recommend that you check for support **before** purchasing a new device. AOSP derivatives which do not support Verified Boot are **not** recommended.
+
 ## Firmware Updates

 Firmware updates are critical for maintaining security and without them your device cannot be secure. OEMs have support agreements with their partners to provide the closed source components for a limited support period. These are detailed in the monthly [Android Security Bulletins](https://source.android.com/security/bulletin).

-As the components of the phone such as the processor and radio technologies rely on closed source components, the updates must be provided by the respective manufacturers. Therefore it is important that you purchase a device within an active support cycle. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) and [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) support their devices for 4 years while cheaper products often have shorter support. With the introduction of the [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google now makes their own system on chip (SoC) and they will provide 5 years of support.
+As the components of the phone such as the processor and radio technologies rely on closed source components, the updates must be provided by the respective manufacturers. Therefore it is important that you purchase a device within an active support cycle. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) and [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) support their devices for 4 years, while cheaper products often have shorter support cycles. With the introduction of the [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google now makes their own SoC and they will provide a minimum of 5 years of support.

-Devices that have reached their end-of-life (EoL) and are no longer supported by the SoC manufacturer, cannot receive firmware updates from OEM vendors or after market Android distributors. This means that security issues with those devices will remain unfixed.
+EOL devices which are no longer supported by the SoC manufacturer cannot receive firmware updates from OEM vendors or after market Android distributors. This means that security issues with those devices will remain unfixed.

 ## Android Versions

@ -44,7 +54,7 @@ Should you want to run an app that you're unsure about, consider using a user or

 ## User Profiles

-Multiple user profiles (Settings → System → Multiple users) are the simplest way to isolate in Android. With user profiles you can limit a user from making calls, SMS or installing apps on the device. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles is a more secure method of isolation.
+Multiple user profiles can be found in **Settings** → **System** → **Multiple users** and are the simplest way to isolate in Android. With user profiles you can limit a user from making calls, SMS or installing apps on the device. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles is a more secure method of isolation.

 ## Work Profile

@ -56,19 +66,9 @@ The work profile is dependent on a device controller to function. Features such

 This method is generally less secure than a secondary user profile; however, it does allow you the convenience of running apps in both the work and personal profiles simultaneously.

-## Verified Boot
-
-[Verified Boot](https://source.android.com/security/verifiedboot) is an important part of the Android security model. It provides protection against [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attacks, malware persistence, and ensures security updates cannot be downgraded with [rollback protection](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection).
-
-Android 10 and above has moved away from full-disk encryption to more flexible [file-based encryption](https://source.android.com/security/encryption/file-based).
-
-Each user's data is encrypted using their own unique encryption key, and the operating system files are left unencrypted. Verified Boot ensures the integrity of the operating system files preventing an adversary with physical access from tampering or installing malware on the device. In the unlikely case that malware is able to exploit other parts of the system and gain higher privileged access, Verified Boot will prevent and revert changes to the system partition upon reboot of the device.
-
-Unfortunately, OEMs are only obliged to support Verified Boot on their stock Android distribution. Only a few OEMs such as Google support custom AVB key enrollment on their devices. Some AOSP derivatives such as LineageOS or /e/ OS do not support Verified Boot even on hardware with Verified Boot support for third party operating systems. We recommend that you check for support **before** purchasing a new device. AOSP derivatives which do not support Verified Boot are **not** recommended.
-
 ## VPN Killswitch

-Android 7 and above supports a VPN killswitch and it is available without the need to install third party apps. This feature can prevent leaks if the VPN is disconnected. It can be found in :gear: Settings → Network & internet → VPN → :gear: → Block connections without VPN.
+Android 7 and above supports a VPN killswitch and it is available without the need to install third party apps. This feature can prevent leaks if the VPN is disconnected. It can be found in (:gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**).

 ## Global Toggles

@ -80,7 +80,7 @@ If you are using a device with Google services, either your stock operating syst

 ### Advanced Protection Program

-If you have a Google account we suggest enrolling in the [Advanced Protection Program](https://landing.google.com/advancedprotection/). It is available at no cost to anyone with two or more hardware security keys with [FIDO](/security/multi-factor-authentication.md#fido-fast-identity-online) support.
+If you have a Google account we suggest enrolling in the [Advanced Protection Program](https://landing.google.com/advancedprotection/). It is available at no cost to anyone with two or more hardware security keys with [FIDO](../security/multi-factor-authentication.md#fido-fast-identity-online) support.

 The Advanced Protection Program provides enhanced threat monitoring and enables:

@ -96,18 +96,24 @@ The Advanced Protection Program provides enhanced threat monitoring and enables:
 - Mandatory automatic device scanning with [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work)
 - Warning the user about unverified applications

+### Google Play System Updates
+
+In the past, Android security updates had to be shipped by the operating system vendor. Android has become more modular beginning with Android 10, and Google can push security updates for **some** system components via the privileged Play Services.
+
+If you have an EOL device shipped with Android 10 or above and are unable to run any of our recommended operating systems on your device, you are likely going to be better off sticking with your OEM Android installation (as opposed to an operating system not listed here such as LineageOS or /e/ OS). This will allow you to receive **some** security fixes from Google, while not violating the Android security model by using an insecure Android derivative and increasing your attack surface. We would still recommend upgrading to a supported device as soon as possible.
+
 ### Advertising ID

 All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) used for targeted advertising. Disable this feature to limit the data collected about you.

-On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: Settings → Apps → Sandboxed Google Play → Google Settings → Ads and select **Delete advertising ID**.
+On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*.

 On Android distributions with privileged Google Play Services (such as stock OSes), the setting may be in one of several locations. Check

- :gear: Settings → Google → Ads
- :gear: Settings → Privacy → Ads
+- :gear: **Settings** → **Google** → **Ads**
+- :gear: **Settings** → **Privacy** → **Ads**

-Depending on your system, you will either be given the option to delete your advertising ID or to "Opt out of interest-based ads". You should delete the advertising ID if you are given the option to, and if you are not, we recommend that you opt out of interested-based ads and then reset your advertising ID.
+You will either be given the option to delete your advertising ID or to *Opt out of interest-based ads*, this varies between OEM distributions of Android. If presented with the option to delete the advertising ID that is preferred. If not, then make sure to opt out and reset your advertising ID.

 ### SafetyNet and Play Integrity API

--- a/docs/assets/img/email/ctemplar-dark.svg
+++ b/docs/assets/img/email/ctemplar-dark.svg
--- a/docs/assets/img/email/ctemplar.svg
+++ b/docs/assets/img/email/ctemplar.svg
--- a/docs/assets/img/email/mini/ctemplar-dark.svg
+++ b/docs/assets/img/email/mini/ctemplar-dark.svg
--- a/docs/assets/img/email/mini/ctemplar.svg
+++ b/docs/assets/img/email/mini/ctemplar.svg
--- a/docs/assets/img/search-engines/mini/searxng-wordmark.svg
+++ b/docs/assets/img/search-engines/mini/searxng-wordmark.svg
@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg width="128" height="128" version="1.1" viewBox="0 0 33.867 33.867" xmlns="http://www.w3.org/2000/svg"><g transform="matrix(.36928 0 0 .36928 -15.111 -6.7595)"><circle cx="75" cy="92" r="0" style="fill:none;stroke-width:12;stroke:#000"/><circle cx="75.921" cy="53.903" r="30" style="fill:none;stroke-width:10;stroke:#3050ff"/><path d="m67.515 37.915a18 18 0 0 1 21.051 3.3124 18 18 0 0 1 3.1373 21.078" style="fill:none;stroke-width:5;stroke:#3050ff"/><rect transform="rotate(-46.235)" x="3.7064" y="122.09" width="18.846" height="39.963" ry="1.8669e-13" style="fill:#3050ff"/></g></svg>
--- a/docs/assets/img/search-engines/mojeek.svg
+++ b/docs/assets/img/search-engines/mojeek.svg
@ -1,13 +1,2 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
-<svg width="100%" height="100%" viewBox="0 0 1892 567" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linejoin:round;stroke-miterlimit:2;">
-    <g transform="matrix(4.16667,0,0,4.16667,0,0)">
-        <path d="M120.727,100.075C117.839,100.075 116.235,98.151 116.235,93.819C116.235,89.488 118.907,71.017 119.938,62.546C121.854,46.813 112.784,35.412 99.628,35.412C89.206,35.412 81.253,39.533 75.016,46.171C70.785,39.774 66.032,35.412 56.787,35.412C47.783,35.412 42.2,38.711 36.702,43.997C33.746,38.19 28.476,35.412 20.597,35.412C14.058,35.412 5.274,38.691 0,41.936L5.875,55.235C9.876,53.009 13.157,51.325 15.976,51.325C19.063,51.325 20.897,53.551 20.384,58.207C19.89,62.699 14.445,114.193 14.445,114.193L32.169,114.193C32.169,114.193 35.647,81.141 36.873,71.198C38.309,59.545 43.953,52.167 51.995,52.167C59.053,52.167 61.458,57.722 60.951,64.217C60.509,69.874 55.363,114.193 55.363,114.193L73.187,114.193C73.187,114.193 77.12,77.451 78.35,68.345C79.946,56.519 87.575,52.167 92.361,52.167C100.23,52.167 102.623,58.604 101.886,64.703C101.287,69.67 99.155,87.157 98.506,96.234C97.705,107.455 102.999,115.798 113.026,115.798C119.604,115.798 126.176,113.923 130.862,111.245L127.022,98.089C124.793,99.053 122.68,100.075 120.727,100.075Z" style="fill:#79ba3a;fill-rule:nonzero;"/>
-        <path d="M210.352,109.031C209.685,115.597 207.559,118.885 202.593,118.885C200.159,118.885 197.141,117.883 194.404,116.76L187.786,131.99C191.417,134.221 199.778,136.001 205.073,136.001C222.239,136.001 226.57,122.936 228.496,105.289C229.779,92.777 235.478,36.384 235.478,36.384L217.34,41.529C217.34,41.529 211.457,98.155 210.352,109.031Z" style="fill:#79ba3a;fill-rule:nonzero;"/>
-        <path d="M229.774,0.53C222.893,0.53 217.991,6.293 217.553,12.387C217.114,18.481 221.187,24.245 228.068,24.245C234.346,24.245 239.851,18.481 240.29,12.387C240.728,6.293 236.052,0.53 229.774,0.53Z" style="fill:#79ba3a;fill-rule:nonzero;"/>
-        <path d="M281.513,50.816C286.487,50.816 289.114,54.032 289.114,58.05C289.114,68.636 276.099,73.186 262.486,72.549C264.702,60.989 272.887,50.816 281.513,50.816ZM277.683,100.075C269.054,100.075 264.006,93.736 262.433,84.92C290.833,86.885 306.541,75.114 306.541,57.802C306.541,43.845 293.666,35.582 281.995,35.582C259.374,35.582 243.542,54.273 243.542,79.059C243.542,101.078 255.142,115.798 275.152,115.798C287.89,115.798 298.439,110.022 306.649,99.582L297.215,88.986C291.404,94.746 285.604,100.075 277.683,100.075Z" style="fill:#79ba3a;fill-rule:nonzero;"/>
-        <path d="M351.969,50.816C356.943,50.816 359.57,54.032 359.57,58.05C359.57,68.636 346.555,73.186 332.943,72.549C335.158,60.989 343.343,50.816 351.969,50.816ZM348.139,100.075C339.51,100.075 334.462,93.736 332.889,84.92C361.29,86.885 376.997,75.114 376.997,57.802C376.997,43.845 364.123,35.582 352.451,35.582C329.831,35.582 313.999,54.273 313.999,79.059C313.999,101.078 325.599,115.798 345.608,115.798C358.346,115.798 368.895,110.022 377.106,99.582L367.671,88.986C361.86,94.746 356.06,100.075 348.139,100.075Z" style="fill:#79ba3a;fill-rule:nonzero;"/>
-        <path d="M449.367,98.788C447.277,99.612 445.44,100.075 443.291,100.075C437.144,100.075 434.424,94.931 431.903,88.926C429.94,84.25 426.33,74.478 423.329,65.984L451.235,37.187L429.686,37.187C424.784,41.99 412.145,54.663 405.7,61.134C408.604,32.539 411.577,3.256 411.577,3.256L393.684,8.4C393.684,8.4 384.042,102.887 382.937,113.764L400.346,113.764C400.716,110.157 401.807,99.444 403.17,86.028L409.921,79.014C412.005,84.352 414.296,90.798 415.826,94.665C421.035,107.837 426.555,115.798 438.57,115.798C443.254,115.798 448.914,114.397 453.234,112.202L449.367,98.788Z" style="fill:#79ba3a;fill-rule:nonzero;"/>
-        <path d="M164.417,99.966C156.828,99.966 150.956,93.398 150.956,80.262C150.956,63.176 159.114,51.305 169.342,51.305C178.807,51.305 182.735,62.676 182.735,73.284C182.735,89.568 173.673,99.966 164.417,99.966ZM201.796,72.241C201.796,53.59 190.438,35.6 169.342,35.6C147.56,35.6 132.02,54.623 132.02,79.139C132.02,102.8 144.715,115.798 163.646,115.798C188.234,115.798 201.796,94.409 201.796,72.241Z" style="fill:#79ba3a;fill-rule:nonzero;"/>
-    </g>
-</svg>
+<?xml version="1.0" encoding="UTF-8"?>
+<svg width="384" height="128" version="1.1" viewBox="0 0 101.6 33.867" xmlns="http://www.w3.org/2000/svg"><g transform="matrix(.22417 0 0 .22417 -9.1709e-7 1.6305)" style="clip-rule:evenodd;fill-rule:evenodd;stroke-linejoin:round;stroke-miterlimit:2"><path d="m120.73 100.08c-2.888 0-4.492-1.924-4.492-6.256 0-4.331 2.672-22.802 3.703-31.273 1.916-15.733-7.154-27.134-20.31-27.134-10.422 0-18.375 4.121-24.612 10.759-4.231-6.397-8.984-10.759-18.229-10.759-9.004 0-14.587 3.299-20.085 8.585-2.956-5.807-8.226-8.585-16.105-8.585-6.539 0-15.323 3.279-20.597 6.524l5.875 13.299c4.001-2.226 7.282-3.91 10.101-3.91 3.087 0 4.921 2.226 4.408 6.882-0.494 4.492-5.939 55.986-5.939 55.986h17.724s3.478-33.052 4.704-42.995c1.436-11.653 7.08-19.031 15.122-19.031 7.058 0 9.463 5.555 8.956 12.05-0.442 5.657-5.588 49.976-5.588 49.976h17.824s3.933-36.742 5.163-45.848c1.596-11.826 9.225-16.178 14.011-16.178 7.869 0 10.262 6.437 9.525 12.536-0.599 4.967-2.731 22.454-3.38 31.531-0.801 11.221 4.493 19.564 14.52 19.564 6.578 0 13.15-1.875 17.836-4.553l-3.84-13.156c-2.229 0.964-4.342 1.986-6.295 1.986z" style="fill-rule:nonzero;fill:#79ba3a"/><path d="m210.35 109.03c-0.667 6.566-2.793 9.854-7.759 9.854-2.434 0-5.452-1.002-8.189-2.125l-6.618 15.23c3.631 2.231 11.992 4.011 17.287 4.011 17.166 0 21.497-13.065 23.423-30.712 1.283-12.512 6.982-68.905 6.982-68.905l-18.138 5.145s-5.883 56.626-6.988 67.502z" style="fill-rule:nonzero;fill:#79ba3a"/><path d="m229.77 0.53c-6.881 0-11.783 5.763-12.221 11.857-0.439 6.094 3.634 11.858 10.515 11.858 6.278 0 11.783-5.764 12.222-11.858 0.438-6.094-4.238-11.857-10.516-11.857z" style="fill-rule:nonzero;fill:#79ba3a"/><path d="m281.51 50.816c4.974 0 7.601 3.216 7.601 7.234 0 10.586-13.015 15.136-26.628 14.499 2.216-11.56 10.401-21.733 19.027-21.733zm-3.83 49.259c-8.629 0-13.677-6.339-15.25-15.155 28.4 1.965 44.108-9.806 44.108-27.118 0-13.957-12.875-22.22-24.546-22.22-22.621 0-38.453 18.691-38.453 43.477 0 22.019 11.6 36.739 31.61 36.739 12.738 0 23.287-5.776 31.497-16.216l-9.434-10.596c-5.811 5.76-11.611 11.089-19.532 11.089z" style="fill-rule:nonzero;fill:#79ba3a"/><path d="m351.97 50.816c4.974 0 7.601 3.216 7.601 7.234 0 10.586-13.015 15.136-26.627 14.499 2.215-11.56 10.4-21.733 19.026-21.733zm-3.83 49.259c-8.629 0-13.677-6.339-15.25-15.155 28.401 1.965 44.108-9.806 44.108-27.118 0-13.957-12.874-22.22-24.546-22.22-22.62 0-38.452 18.691-38.452 43.477 0 22.019 11.6 36.739 31.609 36.739 12.738 0 23.287-5.776 31.498-16.216l-9.435-10.596c-5.811 5.76-11.611 11.089-19.532 11.089z" style="fill-rule:nonzero;fill:#79ba3a"/><path d="m449.37 98.788c-2.09 0.824-3.927 1.287-6.076 1.287-6.147 0-8.867-5.144-11.388-11.149-1.963-4.676-5.573-14.448-8.574-22.942l27.906-28.797h-21.549c-4.902 4.803-17.541 17.476-23.986 23.947 2.904-28.595 5.877-57.878 5.877-57.878l-17.893 5.144s-9.642 94.487-10.747 105.36h17.409c0.37-3.607 1.461-14.32 2.824-27.736l6.751-7.014c2.084 5.338 4.375 11.784 5.905 15.651 5.209 13.172 10.729 21.133 22.744 21.133 4.684 0 10.344-1.401 14.664-3.596z" style="fill-rule:nonzero;fill:#79ba3a"/><path d="m164.42 99.966c-7.589 0-13.461-6.568-13.461-19.704 0-17.086 8.158-28.957 18.386-28.957 9.465 0 13.393 11.371 13.393 21.979 0 16.284-9.062 26.682-18.318 26.682zm37.379-27.725c0-18.651-11.358-36.641-32.454-36.641-21.782 0-37.322 19.023-37.322 43.539 0 23.661 12.695 36.659 31.626 36.659 24.588 0 38.15-21.389 38.15-43.557z" style="fill-rule:nonzero;fill:#79ba3a"/></g></svg>
--- a/docs/assets/img/search-engines/searx.svg
+++ b/docs/assets/img/search-engines/searx.svg
@ -1,2 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<svg width="128" height="128" version="1.1" viewBox="0 0 33.866 33.866" xmlns="http://www.w3.org/2000/svg"><defs><radialGradient id="radialGradient3798" cx="294.46" cy="208.38" r="107.58" gradientUnits="userSpaceOnUse"><stop stop-color="#a9a9a9" offset="0"/><stop offset="1"/></radialGradient><linearGradient id="linearGradient3865" x1="120.69" x2="120.69" y1="239.62" y2="602.18" gradientUnits="userSpaceOnUse"><stop stop-color="#fff" offset="0"/><stop stop-color="#fff" stop-opacity="0" offset="1"/></linearGradient><filter id="filter4024-6-4" x="-.12997" y="-.14709" width="1.2599" height="1.2942" color-interpolation-filters="sRGB"><feGaussianBlur stdDeviation="6.4759344"/></filter></defs><g transform="matrix(.090361 0 0 .090361 -5.5773 -.077823)"><g transform="matrix(1.1338 0 0 1.1338 -8.2538 -22.845)"><path d="m70.523 34.871c-7.1196 15.243-10.178 31.779-8.2256 48.815 5.0168 43.774 41.675 79.325 91.536 95.163-6.6258-22.408-5.3409-44.936 2.6395-65.844-47.737-14.183-81.645-42.808-85.95-78.133z"/><path d="m303.78 36.214c7.1196 15.243 10.178 31.779 8.2256 48.815-5.0168 43.774-41.675 79.325-91.536 95.163 6.6258-22.408 5.3409-44.936-2.6395-65.844 47.737-14.183 81.645-42.808 85.95-78.133z"/><path transform="rotate(-49.03)" d="m-5.0906 259.06h18.417c6.2205 0 11.228 16.682 11.228 37.403v172.84c0 20.722-5.0078 37.403-11.228 37.403h-18.417c-6.2205 0-11.228-16.682-11.228-37.403v-172.84c0-20.722 5.0078-37.403 11.228-37.403z"/></g><g transform="matrix(1.1338 0 0 1.1338 -8.2538 -22.845)"><circle transform="translate(-107.08,-60.609)" cx="294.46" cy="208.38" r="107.58" fill="url(#radialGradient3798)"/><circle transform="matrix(.76866 0 0 .76866 85.803 -82.536)" cx="131.82" cy="299.29" r="101.52" fill="url(#linearGradient3865)"/><circle transform="translate(5,-7.1429)" cx="183.34" cy="156.36" r="27.274" fill="#1a1a1a"/><circle transform="translate(1.4848,-63.565)" cx="197.99" cy="203.33" r="5.5558" fill="#fff"/></g><rect transform="matrix(.74464 -.84315 .84315 .74464 -4.5478 -12.237)" x="19.526" y="337.84" width="2.2393" height="159.44" rx="2.8667" ry="9.0007" fill="#fff" fill-opacity=".82212" filter="url(#filter4024-6-4)"/></g></svg>
--- a/docs/assets/img/search-engines/searxng.svg
+++ b/docs/assets/img/search-engines/searxng.svg
--- a/docs/browsers.en.md
+++ b/docs/browsers.en.md
@ -8,15 +8,13 @@ These are our current web browser recommendations and settings. We recommend kee

 ### Tor Browser

-!!! anonyimity "This product provides anonymity"
-
 !!! recommendation

    ![Tor Browser logo](assets/img/browsers/tor.svg){ align=right }

    **Tor Browser** is the choice if you need anonymity. This browser provides you with access to the Tor Bridges and [Tor Network](https://en.wikipedia.org/wiki/Tor_(network)), along with extensions that can be automatically configured to fit its three security levels - *Standard*, *Safer* and *Safest*. We recommend that you do not change any of Tor Browser's default configurations outside of the standard security levels.

-    [Visit torproject.org](https://www.torproject.org){ .md-button .md-button--primary } [:pg-tor:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .md-button } [Privacy Policy](https://support.torproject.org/tbb/tbb-3/){ .md-button }
+    [Homepage](https://www.torproject.org){ .md-button .md-button--primary } [:pg-tor:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .md-button } [Privacy Policy](https://support.torproject.org/tbb/tbb-3/){ .md-button }

    ??? downloads

@ -41,7 +39,7 @@ These are our current web browser recommendations and settings. We recommend kee

    **Firefox** provides strong privacy settings such as [Enhanced Tracking Protection](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop), which can help block various [types of tracking](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop#w_what-enhanced-tracking-protection-blocks).

-    [Visit firefox.com](https://firefox.com){ .md-button .md-button--primary } [Privacy Policy](https://www.mozilla.org/privacy/firefox){ .md-button }
+    [Homepage](https://firefox.com){ .md-button .md-button--primary } [Privacy Policy](https://www.mozilla.org/privacy/firefox){ .md-button }

    ??? downloads

@ -56,7 +54,7 @@ These are our current web browser recommendations and settings. We recommend kee

 #### Recommended Configuration

-These options can be found in the *Privacy & Security* settings page ( :material-menu: → **Settings** → **Privacy & Security**).
+These options can be found in :material-menu: → **Settings** → **Privacy & Security**.

 ##### Enhanced Tracking Protection (ETP)

@ -64,10 +62,9 @@ These options can be found in the *Privacy & Security* settings page ( :material

 ##### Sanitize on Close

- Select **Delete cookies and site data when Firefox is closed**
+If you want to stay logged in to particular sites, you can allow exceptions in **Cookies and Site Data** → **Manage Exceptions...**

-!!! note
-    You can still stay logged into websites by allowing exceptions (**Cookies and Site Data** → **Manage Exceptions...**)
+- Select **Delete cookies and site data when Firefox is closed**

 ##### Disable Search Suggestions

@ -75,8 +72,7 @@ These options can be found in the *Privacy & Security* settings page ( :material
 - Clear **Suggestions from sponsors**
 - Clear **Improve the Firefox Suggest experience**

-!!! note
-    Search suggestion features may not be available in your region.
+Search suggestion features may not be available in your region.

 ##### Disable Telemetry

@ -94,7 +90,7 @@ The [Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) serv

 #### Extensions

-We generally do not recommend installing any extensions as they increase your [attack surface](https://en.wikipedia.org/wiki/Attack_surface); however, if you want content blocking, [uBlock Origin](#additional-resources) might be useful to you. The extension is also a :trophy: [Recommended Extension](https://support.mozilla.org/kb/add-on-badges#w_recommended-extensions) by Mozilla.
+We generally do not recommend installing any extensions as they increase your attack surface; however, if you want content blocking, [uBlock Origin](#additional-resources) might be useful to you. The extension is also a :trophy: [Recommended Extension](https://support.mozilla.org/kb/add-on-badges#w_recommended-extensions) by Mozilla.

 #### Arkenfox (advanced)

@ -112,16 +108,16 @@ On iOS, any app that can browse the web is [restricted](https://developer.apple.

    ![Bromite logo](assets/img/browsers/bromite.svg){ align=right }

-    **Bromite** is a [Chromium](https://en.wikipedia.org/wiki/Chromium_(web_browser))-based browser with privacy and security enhancements, built-in ad blocking, and some fingerprinting randomization.
+    **Bromite** is a Chromium-based browser with privacy and security enhancements, built-in ad blocking, and some fingerprinting randomization.

-    [Visit bromite.org](https://www.bromite.org){ .md-button .md-button--primary } [Privacy Policy](https://www.bromite.org/privacy){ .md-button }
+    [Homepage](https://www.bromite.org){ .md-button .md-button--primary } [Privacy Policy](https://www.bromite.org/privacy){ .md-button }

    ??? downloads

        - [:fontawesome-brands-android: Android](https://www.bromite.org/fdroid)
        - [:fontawesome-brands-github: Source](https://github.com/bromite/bromite)

-These options can be found in *Privacy and Security* ( :material-menu: → :gear: **Settings** → **Privacy and Security**).
+These options can be found in :material-menu: → :gear: **Settings** → **Privacy and Security**.

 #### Recommended Configuration

@ -143,11 +139,11 @@ These options can be found in *Privacy and Security* ( :material-menu: → :gear

    **Safari** is the default browser in iOS. It includes [privacy features](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) such as Intelligent Tracking Protection, Privacy Report, isolated Private Browsing tabs, iCloud Private Relay, and automatic HTTPS upgrades.

-    [Visit apple.com](https://www.apple.com/safari/){ .md-button .md-button--primary } [Privacy Policy](https://www.apple.com/legal/privacy/data/en/safari/){ .md-button }
+    [Website](https://www.apple.com/safari/){ .md-button .md-button--primary } [Privacy Policy](https://www.apple.com/legal/privacy/data/en/safari/){ .md-button }

 #### Recommended Configuration

-These options can be found in *Privacy and Security* ( :gear: **Settings** → **Safari** → **Privacy and Security**).
+These options can be found in :gear: **Settings** → **Safari** → **Privacy and Security**.

 ##### Cross-Site Tracking Prevention

@ -183,11 +179,11 @@ Open Safari and press the tabs icon in the bottom right corner. Open Tab Groups,

 While synchronization of Safari History, Tab Groups, and iCloud Tabs uses E2EE, bookmarks sync does [not](https://support.apple.com/en-us/HT202303); they are only encrypted in transit and stored in an encrypted format on Apple's servers. Apple may be able to decrypt and access them.

-If you use iCloud, we also recommend checking to ensure Safari's default download location is set to locally on your device. This option can be found in *General* ( :gear: **Settings** → **Safari** → **General** → **Downloads**).
+If you use iCloud, we also recommend checking to ensure Safari's default download location is set to locally on your device. This option can be found in :gear: **Settings** → **Safari** → **General** → **Downloads**.

 #### Extensions

-We generally do not recommend installing [any extensions](https://www.sentinelone.com/blog/inside-safari-extensions-malware-golden-key-user-data/) as they increase your browser's [attack surface](https://en.wikipedia.org/wiki/Attack_surface); however, if you want content blocking, [AdGuard for Safari](#additional-resources) might be useful to you.
+We generally do not recommend installing [any extensions](https://www.sentinelone.com/blog/inside-safari-extensions-malware-golden-key-user-data/) as they increase your browser's attack surface; however, if you want content blocking, [AdGuard for Safari](#additional-resources) might be useful to you.

 ## Additional Resources

@ -201,7 +197,7 @@ We generally do not recommend installing [any extensions](https://www.sentinelon

    We suggest enabling all of the [filter lists](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) under the "Ads," "Privacy," and "Malware domains". The "Annoyances" and "Multipurpose" lists can also be enabled, but they may break some social media functions. The *AdGuard URL Tracking Protection* filter list makes extensions like CleanURLs and NeatURLs redundant.

-    [Visit github.com](https://github.com/gorhill/uBlock){ .md-button .md-button--primary }
+    [Extension Info](https://github.com/gorhill/uBlock#readme){ .md-button .md-button--primary }

    ??? downloads

@ -213,7 +209,7 @@ We generally do not recommend installing [any extensions](https://www.sentinelon

 We also suggest adding the [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) list and any of the regional lists that might apply to your browsing habits. To add this list, first access settings by clicking on the uBO icon, then the settings icon ( :gear: ). Go to the bottom of the Filter lists pane and place a checkmark next to Import under the Custom section. Paste the URL of the filter list above into the text area that appears below and click "Apply changes".

-Additional filter lists do slow things down and may increase your [attack surface](https://en.wikipedia.org/wiki/Attack_surface), so only apply what you need.
+Additional filter lists do slow things down and may increase your attack surface, so only apply what you need.

 uBlock Origin also has different [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode). The easy mode [might not](https://www.ranum.com/security/computer_security/editorials/dumb/) necessarily keep you safe from every tracker out there, whereas the more advanced modes let you control exactly what needs to run.

@ -227,7 +223,7 @@ uBlock Origin also has different [blocking modes](https://github.com/gorhill/uBl

    We suggest enabling the filters labled *#recommended* under the "Ad Blocking" and "Privacy" [content blockers](https://kb.adguard.com/en/safari/overview#content-blockers). The *#recommended* filters can also be enabled for the "Social Widgets" and "Annoyances" content blockers, but they may break some social media functions.

-    [Visit adguard.com](https://adguard.com/en/adguard-safari/overview.html){ .md-button .md-button--primary } [Privacy Policy](https://adguard.com/en/privacy/safari.html){ .md-button }
+    [Website](https://adguard.com/en/adguard-safari/overview.html){ .md-button .md-button--primary } [Privacy Policy](https://adguard.com/en/privacy/safari.html){ .md-button }

    ??? downloads

@ -235,7 +231,7 @@ uBlock Origin also has different [blocking modes](https://github.com/gorhill/uBl
        - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/app/apple-store/id1047223162)
        - [:fontawesome-brands-git: Source](https://github.com/AdguardTeam/AdGuardForSafari)

-Additional filter lists do slow things down and may increase your [attack surface](https://en.wikipedia.org/wiki/Attack_surface), so only apply what you need.
+Additional filter lists do slow things down and may increase your attack surface, so only apply what you need.

 There is also [AdGuard for iOS](https://adguard.com/en/adguard-ios/overview.html) which is able to perform system-wide content blocking by means of DNS filtering.

@ -247,10 +243,8 @@ There is also [AdGuard for iOS](https://adguard.com/en/adguard-ios/overview.html

    **Terms of Service; Didn't Read** grades websites based on their terms of service agreements and privacy policies. It also gives short summaries of those agreements. The analyses and ratings are published transparently by a community of reviewers.

-    [Visit tosdr.org](https://tosdr.org){ .md-button .md-button--primary } [Privacy Policy](https://addons.mozilla.org/firefox/addon/terms-of-service-didnt-read/privacy){ .md-button }
+    [Website](https://tosdr.org){ .md-button .md-button--primary } [Privacy Policy](https://addons.mozilla.org/firefox/addon/terms-of-service-didnt-read/privacy){ .md-button }

-!!! note
-
-    We do not recommend installing ToS;DR as a browser extension. The same information is provided on their website.
+We do not recommend installing ToS;DR as a browser extension. The same information is provided on their website.

 --8<-- "includes/abbreviations.en.md"
--- a/docs/calendar-contacts.en.md
+++ b/docs/calendar-contacts.en.md
@ -17,7 +17,7 @@ These products are included with an subscription with their respective [email pr

    **Tutanota** has an [encrypted calendar](https://tutanota.com/blog/posts/free-encrypted-calendar/) in their desktop and mobile clients.

-    [Visit tutanota.com](https://tutanota.com/calendar){ .md-button .md-button--primary } [Privacy Policy](https://tutanota.com/privacy){ .md-button }
+    [Website](https://tutanota.com/calendar){ .md-button .md-button--primary } [Privacy Policy](https://tutanota.com/privacy){ .md-button }

    ??? downloads

@ -38,7 +38,7 @@ These products are included with an subscription with their respective [email pr

    **Proton Calendar** is an calendar app that is available to ProtonMail users. All data stored within it is end-to-end encrypted when stored on ProtonMail's servers.

-    [Visit calendar.protonmail.com](https://calendar.protonmail.com){ .md-button .md-button--primary } [Privacy Policy](https://protonmail.com/privacy-policy){ .md-button }
+    [Website](https://calendar.protonmail.com){ .md-button .md-button--primary } [Privacy Policy](https://protonmail.com/privacy-policy){ .md-button }

    ??? downloads

@ -59,7 +59,7 @@ Some of these options are self-hostable, but could be offered by third party Saa

    EteSync also offers optional software as a service for [$24 per year](https://dashboard.etebase.com/user/partner/pricing/) to use, or you can host the server yourself for free.

-    [Visit etesync.com](https://www.etesync.com){ .md-button .md-button--primary } [Privacy Policy](https://www.etesync.com/tos/#privacy){ .md-button }
+    [Website](https://www.etesync.com){ .md-button .md-button--primary } [Privacy Policy](https://www.etesync.com/tos/#privacy){ .md-button }

    ??? downloads

@ -79,7 +79,7 @@ Some of these options are self-hostable, but could be offered by third party Saa

    You can self host Nextcloud or pay for service from a [provider](https://nextcloud.com/signup/).

-    [Visit nextcloud.com](https://nextcloud.com/){ .md-button .md-button--primary }
+    [Homepage](https://nextcloud.com/){ .md-button .md-button--primary }

    ??? downloads

@ -102,12 +102,11 @@ Some of these options are self-hostable, but could be offered by third party Saa

    There are [plugins](https://github.com/39aldo39/DecSync#rss) to sync other types of data such as [RSS](news-aggregators.md).

-    [Visit github.com](https://github.com/39aldo39/DecSync){ .md-button .md-button--primary }
+    [Project Info](https://github.com/39aldo39/DecSync#readme){ .md-button .md-button--primary }

    ??? downloads

        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=org.decsync.cc)
        - [:pg-f-droid: F-Droid](https://f-droid.org/packages/org.decsync.cc)
-        - [:fontawesome-brands-github: Source](https://github.com/39aldo39/DecSync)

 --8<-- "includes/abbreviations.en.md"
--- a/docs/cloud.en.md
+++ b/docs/cloud.en.md
@ -14,7 +14,7 @@ Trust your provider by using an alternative below that supports E2EE.

    **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. It also comes with experimental E2EE.

-    [Visit nextcloud.com](https://nextcloud.com){ .md-button .md-button--primary } [Privacy Policy](https://nextcloud.com/privacy){ .md-button }
+    [Homepage](https://nextcloud.com){ .md-button .md-button--primary } [Privacy Policy](https://nextcloud.com/privacy){ .md-button }

    ??? downloads

@ -41,7 +41,7 @@ When self hosting Nextcloud, you should also remember to enable E2EE to protect

    **Proton Drive** is an E2EE general file storage service by the popular encrypted email provider [ProtonMail](https://protonmail.com).

-    [Visit drive.protonmail.com](https://drive.protonmail.com){ .md-button .md-button--primary } [Privacy Policy](https://protonmail.com/privacy-policy){ .md-button }
+    [Website](https://drive.protonmail.com){ .md-button .md-button--primary } [Privacy Policy](https://protonmail.com/privacy-policy){ .md-button }

    ??? downloads

@ -60,7 +60,7 @@ When using a web client, you are placing trust in the server to send you proper

    **Cryptee** is an encrypted, secure photo storage service, and an encrypted documents editor to write personal docs, notes, journals, store files & more.

-    [Visit crypt.ee](https://crypt.ee){ .md-button .md-button--primary } [Privacy Policy](https://crypt.ee/privacy){ .md-button }
+    [Website](https://crypt.ee){ .md-button .md-button--primary } [Privacy Policy](https://crypt.ee/privacy){ .md-button }

    ??? downloads

@ -68,6 +68,11 @@ When using a web client, you are placing trust in the server to send you proper

 ### Tahoe-LAFS

+!!! note
+
+    Due to the complexity of the system and the amount of nodes needed to set it up, Tahoe-LAFS is only recommended for seasoned system administrators.
+
+
 !!! recommendation

    ![Tahoe-LAFS logo](./assets/img/cloud/tahoe-lafs.svg#only-light){ align=right }
@ -75,7 +80,7 @@ When using a web client, you are placing trust in the server to send you proper

    **Tahoe-LAFS** is a free and open decentralized cloud storage system. It distributes your data across multiple servers. Even if some of the servers fail or are taken over by an attacker, the entire file store continues to function correctly, preserving your privacy and security. The servers used as storage pools do not have access to your data.

-    [Visit tahoe-lafs.org](https://www.tahoe-lafs.org){ .md-button .md-button--primary }
+    [Homepage](https://www.tahoe-lafs.org){ .md-button .md-button--primary }

    ??? downloads

@ -85,8 +90,4 @@ When using a web client, you are placing trust in the server to send you proper
        - [:pg-netbsd: NetBSD](https://pkgsrc.se/filesystems/tahoe-lafs)
        - [:fontawesome-brands-git: Source](https://www.tahoe-lafs.org/trac/tahoe-lafs/browser)

-!!! note
-
-    Due to the complexity of the system and the amount of nodes needed to set it up, Tahoe-LAFS is only recommended for seasoned system administrators.
-
 --8<-- "includes/abbreviations.en.md"
--- a/docs/dns.en.md
+++ b/docs/dns.en.md
@ -85,7 +85,7 @@ Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](te

    **RethinkDNS** is an open-source Android client supporting [DNS-over-HTTPS](technology/dns.md#dns-over-https-doh), [DNS-over-TLS](technology/dns.md#dns-over-tls-dot), [DNSCrypt](technology/dns.md#dnscrypt) and DNS Proxy along with caching DNS responses, locally logging DNS queries and can be used as a firewall too.

-    [Visit rethinkdns.com](https://rethinkdns.com){ .md-button .md-button--primary } [Privacy Policy](https://rethinkdns.com/privacy){ .md-button }
+    [Website](https://rethinkdns.com){ .md-button .md-button--primary } [Privacy Policy](https://rethinkdns.com/privacy){ .md-button }

    ??? downloads

@ -101,7 +101,7 @@ Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](te

    **DNSCloak** is an open-source iOS client supporting [DNS-over-HTTPS](technology/dns.md#dns-over-https-doh), [DNSCrypt](technology/dns.md#dnscrypt), and [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy/wiki) options such as caching DNS responses, locally logging DNS queries, and custom block lists. Users can [add custom resolvers by DNS stamp](https://medium.com/privacyguides/adding-custom-dns-over-https-resolvers-to-dnscloak-20ff5845f4b5).

-    [Visit github.com](https://github.com/s-s/dnscloak/blob/master/README.md){ .md-button .md-button--primary } [Privacy Policy](https://drive.google.com/file/d/1050No_pU74CAWUS5-BwQWyO2x_aiMzWc/view){ .md-button }
+    [Project Info](https://github.com/s-s/dnscloak/blob/master/README.md){ .md-button .md-button--primary } [Privacy Policy](https://drive.google.com/file/d/1050No_pU74CAWUS5-BwQWyO2x_aiMzWc/view){ .md-button }

    ??? downloads

@ -116,12 +116,12 @@ Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](te

    **dnscrypt-proxy** is a DNS proxy with support for [DNSCrypt](technology/dns.md#dnscrypt), [DNS-over-HTTPS](technology/dns.md#dns-over-https-doh), and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS).

-    [Visit github.com](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .md-button .md-button--primary } [Privacy Policy](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .md-button }
+    !!! warning "The anonymized DNS feature does [**not**](technology/dns.md#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic."
+
+    [Wiki](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .md-button .md-button--primary } [Privacy Policy](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .md-button }

    ??? downloads

        - [:fontawesome-brands-github: Source](https://github.com/DNSCrypt/dnscrypt-proxy)

-!!! warning "The anonymized DNS feature does [**not**](technology/dns.md#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic."
-
 --8<-- "includes/abbreviations.en.md"
--- a/docs/email-clients.en.md
+++ b/docs/email-clients.en.md
@ -5,11 +5,11 @@ icon: material/email-open
 Our recommendation list contains email clients that support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](multi-factor-authentication) and prevent account theft.

 ??? Attention "Email does not provide forward secrecy"
-    When using end-to-end encryption (E2EE) technology like [OpenPGP](https://en.wikipedia.org/wiki/Pretty_Good_Privacy), email will still have [some metadata](email.md#email-metadata-overview) that is not encrypted in the header of the email.
+    When using end-to-end encryption (E2EE) technology like OpenPGP, email will still have [some metadata](email.md#email-metadata-overview) that is not encrypted in the header of the email.

    OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed: [How do I protect my private keys?](email.md#email-encryption-overview). Consider using a medium that provides forward secrecy:

-    [Real-time Communication](real-time-communication.md){ .md-button .md-button--primary }
+    [Real-time Communication](real-time-communication.md){ .md-button }

 ### Thunderbird

@ -19,7 +19,7 @@ Our recommendation list contains email clients that support both [OpenPGP](encry

    **Thunderbird** is a free, open source, cross-platform email, newsgroup, news feed, and chat (XMPP, IRC, Twitter) client developed by the Thunderbird community, and previously by the Mozilla Foundation.

-    [Visit thunderbird.net](https://www.thunderbird.net){ .md-button .md-button--primary } [Privacy Policy](https://www.mozilla.org/privacy/thunderbird){ .md-button }
+    [Homepage](https://www.thunderbird.net){ .md-button .md-button--primary } [Privacy Policy](https://www.mozilla.org/privacy/thunderbird){ .md-button }

    ??? downloads

@ -31,17 +31,17 @@ Our recommendation list contains email clients that support both [OpenPGP](encry

 ### Apple Mail

+!!! note
+
+    For iOS devices we suggest [Canary Mail](#canary-mail) as it has PGP support which means you can send end-to-end encrypted email.
+
 !!! recommendation

    ![Apple Mail logo](assets/img/email-clients/applemail.png){ align=right }

    **Apple Mail** is included in macOS and can be extended to have OpenPGP support with [GPG Suite](encryption/#gpg-suite), which adds the ability to send encrypted email.

-    [Visit apple.com](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } [Privacy Policy](https://www.apple.com/legal/privacy/en-ww/){ .md-button }
-
-!!! note
-
-    For iOS devices we suggest [Canary Mail](#canary-mail) as it has PGP support which means you can send end-to-end encrypted email.
+    [Website](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } [Privacy Policy](https://www.apple.com/legal/privacy/en-ww/){ .md-button }

 ### GNOME Evolution

@ -51,7 +51,7 @@ Our recommendation list contains email clients that support both [OpenPGP](encry

    **Evolution** is a personal information management application that provides integrated mail, calendaring and address book functionality. Evolution has extensive [documentation](https://help.gnome.org/users/evolution/stable/) to help you get started.

-    [Visit gnome.org](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary } [Privacy Policy](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .md-button }
+    [Website](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary } [Privacy Policy](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .md-button }

    ??? downloads

@ -66,7 +66,7 @@ Our recommendation list contains email clients that support both [OpenPGP](encry

    **Kontact** is a personal information manager (PIM) application from the [KDE](https://kde.org) project. It provides a mail client, address book, organizer and RSS client.

-    [Visit kontact.kde.org](https://kontact.kde.org){ .md-button .md-button--primary } [Privacy Policy](https://kde.org/privacypolicy-apps){ .md-button }
+    [Website](https://kontact.kde.org){ .md-button .md-button--primary } [Privacy Policy](https://kde.org/privacypolicy-apps){ .md-button }

    ??? downloads

@ -82,7 +82,7 @@ Our recommendation list contains email clients that support both [OpenPGP](encry

    **Mailvelope** is a browser extension that enables the exchange of encrypted emails following the OpenPGP encryption standard.

-    [Visit mailvelope.com](https://www.mailvelope.com){ .md-button .md-button--primary } [Privacy Policy](https://www.mailvelope.com/en/privacy-policy){ .md-button }
+    [Homepage](https://www.mailvelope.com){ .md-button .md-button--primary } [Privacy Policy](https://www.mailvelope.com/en/privacy-policy){ .md-button }

    ??? downloads

@ -99,7 +99,7 @@ Our recommendation list contains email clients that support both [OpenPGP](encry

    **K-9 Mail** is an independent mail application that supports both POP3 and IMAP mailboxes, but only supports push mail for IMAP.

-    [Visit k9mail.app](https://k9mail.app){ .md-button .md-button--primary } [Privacy Policy](https://k9mail.app/privacy){ .md-button }
+    [Homepage](https://k9mail.app){ .md-button .md-button--primary } [Privacy Policy](https://k9mail.app/privacy){ .md-button }

    ??? downloads

@ -115,7 +115,7 @@ Our recommendation list contains email clients that support both [OpenPGP](encry

    **FairEmail** is a minimal, open source email app, using open standards (IMAP, SMTP, OpenPGP) with a low data and battery usage.

-    [Visit email.faircode.eu](https://email.faircode.eu){ .md-button .md-button--primary } [Privacy Policy](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .md-button }
+    [Homepage](https://email.faircode.eu){ .md-button .md-button--primary } [Privacy Policy](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .md-button }

    ??? downloads

@ -131,7 +131,7 @@ Our recommendation list contains email clients that support both [OpenPGP](encry

    **Canary Mail** is a paid email client designed to make end-to-end encryption seamless with security features such as a biometric app lock.

-    [Visit canarymail.io](https://canarymail.io){ .md-button .md-button--primary } [Privacy Policy](https://canarymail.io/privacy.html){ .md-button }
+    [Homepage](https://canarymail.io){ .md-button .md-button--primary } [Privacy Policy](https://canarymail.io/privacy.html){ .md-button }

    ??? downloads

@ -144,7 +144,7 @@ Our recommendation list contains email clients that support both [OpenPGP](encry

    Canary Mail only recently released a Windows and Android client, we don't believe they are as stable as their iOS and Mac counterparts.

-Canary Mail is closed source. We recommend it, due to the few choices there are for email clients on iOS that support [Pretty Good Privacy (PGP)](https://en.wikipedia.org/wiki/Pretty_Good_Privacy) E2EE.
+Canary Mail is closed source. We recommend it, due to the few choices there are for email clients on iOS that support PGP E2EE.

 ### NeoMutt

@ -156,7 +156,7 @@ Canary Mail is closed source. We recommend it, due to the few choices there are

    NeoMutt is a text-based client that has a steep learning curve. It is however, very customizable.

-    [Visit neomutt.org](https://neomutt.org){ .md-button .md-button--primary }
+    [Homepage](https://neomutt.org){ .md-button .md-button--primary }

    ??? downloads

--- a/docs/email.en.md
+++ b/docs/email.en.md
@ -31,7 +31,7 @@ Find a secure email provider that will keep your privacy in mind. Don’t settle

    **Free**

-    [Visit ProtonMail.com](https://protonmail.com){ .md-button .md-button--primary }
+    [Website](https://protonmail.com){ .md-button .md-button--primary }

 ??? check "Custom Domains and Aliases"

@ -73,7 +73,7 @@ Find a secure email provider that will keep your privacy in mind. Don’t settle

    **EUR €12/year**

-    [Visit Mailbox.org](https://mailbox.org){ .md-button .md-button--primary }
+    [Website](https://mailbox.org){ .md-button .md-button--primary }

 ??? check "Custom Domains and Aliases"

@ -118,7 +118,7 @@ Find a secure email provider that will keep your privacy in mind. Don’t settle

    **Free**

-    [Visit Disroot.org](https://disroot.org){ .md-button .md-button--primary }
+    [Website](https://disroot.org){ .md-button .md-button--primary }

 ??? check "Custom Domains and Aliases"

@ -161,7 +161,7 @@ Find a secure email provider that will keep your privacy in mind. Don’t settle

    **Free**

-    [Visit Tutanota.com](https://tutanota.com){ .md-button .md-button--primary }
+    [Website](https://tutanota.com){ .md-button .md-button--primary }

 Tutanota [doesn't allow](https://tutanota.com/faq/#imap) the use of third-party [email clients](email-clients.md). Tutanota has no plans pull email from [external email accounts](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) using the IMAP protocol. [Email import](https://github.com/tutao/tutanota/issues/630) is currently not possible.

@ -212,7 +212,7 @@ Tutanota is working on a [desktop client](https://tutanota.com/blog/posts/deskto

    **USD $59.95/year**

-    [Visit StartMail.com](https://startmail.com/){ .md-button .md-button--primary }
+    [Website](https://startmail.com/){ .md-button .md-button--primary }

 ??? check "Custom Domains and Aliases"

@ -244,53 +244,6 @@ Tutanota is working on a [desktop client](https://tutanota.com/blog/posts/deskto

    StartMail allows for proxying of images within emails. If a user allows the remote image to be loaded, the sender won't know what the user's IP address is.

-### CTemplar
-
-!!! recommendation
-
-    ![CTemplar Logo](assets/img/email/ctemplar.svg#only-light){ align=right }
-    ![CTemplar Logo](assets/img/email/ctemplar-dark.svg#only-dark){ align=right }
-
-    **CTemplar** is an email service with a focus on security and privacy through the use of standard OpenPGP encryption. CTemplar has been in operation since **2018** and is run from Iceland. Paid accounts start with 5GB. They offer free accounts by [invitation](https://ctemplar.com/email-creation-restriction/).
-
-    **USD $96/year**
-
-    [Visit CTemplar.com](https://ctemplar.com){ .md-button .md-button--primary }
-
-??? check "Custom Domains and Aliases"
-
-    Paid accounts can use [Custom Domains](https://ctemplar.com/help/answer/add-a-domain/) and [aliases](https://ctemplar.com/help/answer/how-to-create-aliases/).
-
-??? check "Private Payment Methods"
-
-    CTemplar [payment options](https://ctemplar.com/help/answer/payment-options/) include Credit cards via Stripe, Bitcoin and Monero.
-
-??? check "Account Security"
-
-    CTemplar supports TOTP two factor authentication [for webmail only](https://ctemplar.com/help/answer/setting-up-two-factor-authentication-2fa/). They do not allow U2F security key authentication.
-
-??? check "Data Security"
-
-    CTemplar has [zero access encryption at rest](https://ctemplar.com/help/answer/what-encryption-method-is-used/), using PGP. They support [protected headers](https://datatracker.ietf.org/doc/html/draft-autocrypt-lamps-protected-headers-02/) and therefore there is [subject encryption](https://ctemplar.com/help/answer/subject-encryption/).
-
-    CTemplar supports importing [contacts](https://ctemplar.com/help/answer/importing-contacts/) and [contacts are encrypted](https://ctemplar.com/help/answer/contact-encryption/) at rest however, they are only accessible in the webmail and apps.
-
-??? check "Email Encryption"
-
-    CTemplar has [integrated encryption](https://ctemplar.com/help/answer/how-does-encryption-decryption-work-in-ctemplar/) in their webmail, which simplifies sending messages to users with public OpenPGP keys.
-
-??? warning ".onion Service"
-
-    CTemplar's .onion service [ctemplarpizuduxk3fkwrieizstx33kg5chlvrh37nz73pv5smsvl6ad.onion](http://ctemplarpizuduxk3fkwrieizstx33kg5chlvrh37nz73pv5smsvl6ad.onion /) is [currently disabled](https://twitter.com/RealCTemplar/status/1458775445202157570) for webmail access, due to a Tor Browser [bug](https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/32865).
-
-??? info "Additional Functionality"
-
-    CTemplar has a [dead man timer](https://ctemplar.com/help/answer/setting-up-a-dead-mans-timer/) feature that will automatically send a specific message that you've set after a given period of time.
-
-    CTemplar also has a feature that allows users verify [checksums](https://ctemplar.com/ctemplar-checksum-implementation/) of production pages with a public copy on Github.
-
-    Electron clients exist for Windows, Mac and Linux. Official clients also exist for iOS and Android ([including F-Droid](https://f-droid.org/en/packages/com.ctemplar.app.fdroid).) All of these clients are [open source](https://github.com/orgs/CTemplar/repositories).
-
 ## Our Criteria

 **Please note we are not affiliated with any of the providers we recommend.** This allows us to provide completely objective recommendations. We have developed a clear set of requirements for any Email provider wishing to be recommended, including implementing industry best practices, modern technology and more. We suggest you familiarize yourself with this list before choosing an Email provider, and conduct your own research to ensure the Email provider you choose is the right choice for you.
@ -326,7 +279,7 @@ We regard these features as important in order to provide a safe and optimal ser
 - Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP.
 - Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion).
 - [Subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing) support.
- [Catch all](https://en.wikipedia.org/wiki/Email_filtering) or [aliases](https://en.wikipedia.org/wiki/Email_alias) for users who own their own domains.
+- Catch-all or alias functionality for users who own their own domains.
 - Use of standard email access protocols such as IMAP, SMTP or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider.

 ### Privacy
@ -421,7 +374,7 @@ E2EE is a way of encrypting email contents so that nobody but the recipient(s) c

 ### How can I encrypt my email?

-The standard way to do email E2EE and have it work between different email providers is with [OpenPGP](https://en.wikipedia.org/wiki/Pretty_Good_Privacy#OpenPGP). There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org).
+The standard way to do email E2EE and have it work between different email providers is with OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org).

 There is another standard that was popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates). It has support in [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) and [Outlook for Web or Exchange Server 2016, 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480).

--- a/docs/encryption.en.md
+++ b/docs/encryption.en.md
@ -17,7 +17,7 @@ The options listed here are multi-platform and great for creating encrypted back

    **VeraCrypt** is a source-available freeware utility used for on-the-fly encryption. It can create a virtual encrypted disk within a file, encrypt a partition, or encrypt the entire storage device with pre-boot authentication.

-    [Visit veracrypt.fr](https://veracrypt.fr){ .md-button .md-button--primary }
+    [Homepage](https://veracrypt.fr){ .md-button .md-button--primary }

    ??? downloads

@ -40,7 +40,7 @@ Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/Tru

    **Cryptomator** makes it easy for you to upload files to the cloud in a virtual encrypted file system.

-    [Visit cryptomator.org](https://cryptomator.org){ .md-button .md-button--primary } [Privacy Policy](https://cryptomator.org/privacy){ .md-button }
+    [Homepage](https://cryptomator.org){ .md-button .md-button--primary } [Privacy Policy](https://cryptomator.org/privacy){ .md-button }

    ??? downloads

@ -63,7 +63,7 @@ Some of the Cryptomator Crypto Libraries have been [audited](https://cryptomator

    **Picocrypt** is a small and simple encryption tool that provides modern encryption. Picocrypt uses the secure XChaCha20 cipher and the Argon2id key derivation function to provide a high level of security. It uses Go's standard x/crypto modules for its encryption features.

-    [Visit github.com](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary }
+    [Project Info](https://github.com/HACKERALERT/Picocrypt#readme){ .md-button .md-button--primary }

    ??? downloads

@ -84,13 +84,13 @@ Modern operating systems include [FDE](https://en.wikipedia.org/wiki/Disk_encryp

    **BitLocker** is the full volume encryption solution bundled with Microsoft Windows. The main reason we recommend it is because of its [use of TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft), a forensics company, has written about it in [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/).

-    [Visit microsoft.com](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .md-button .md-button--primary }
+    [Overview](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .md-button .md-button--primary }

 BitLocker is [only supported](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) on Pro, Enterprise, and Education editions of Windows. It can be enabled on Home editions provided that they meet the prerequisites.

 ??? example "Enabling BitLocker on Windows Home"

-    To enable BitLocker on "Home" editions of Windows, you must partitions formatted with formatted with a [GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table) and have a dedicated [TPM](https://en.wikipedia.org/wiki/Trusted_Platform_Module) (v1.2, 2.0+) module.
+    To enable BitLocker on "Home" editions of Windows, you must partitions formatted with formatted with a [GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table) and have a dedicated TPM (v1.2, 2.0+) module.

    1. Open Windows [PowerShell](https://en.wikipedia.org/wiki/PowerShell). Start "PowerShell"

@ -104,7 +104,7 @@ BitLocker is [only supported](https://support.microsoft.com/en-us/windows/turn-o
        powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm | findstr "IsActivated IsEnabled IsOwned SpecVersion"
        ```

-    4. Access Windows 10 "Advanced Startup Options". (Press "reboot" while holding shift button). *Troubleshoot > Advanced Options > Command Prompt*
+    4. Access [Advanced Startup Options](https://support.microsoft.com/en-us/windows/advanced-startup-options-including-safe-mode-b90e7808-80b5-a291-d4b8-1a1af602b617). You need to reboot while pressing the F8 key before Windows starts and go into the *command prompt* in **Troubleshoot** → **Advanced Options** → **Command Prompt**.

    5. Login with your account that has admin privileges and type this to start encryption:
        ```
@ -129,7 +129,7 @@ BitLocker is [only supported](https://support.microsoft.com/en-us/windows/turn-o

    **FileVault** is the on-the-fly volume encryption solution built into macOS. FileVault is recommended because it [leverages](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) hardware security capabilities present on an Apple silicon SoC or T2 Security Chip.

-    [Visit support.apple.com](https://support.apple.com/en-us/HT204837){ .md-button .md-button--primary }
+    [Article](https://support.apple.com/en-us/HT204837){ .md-button .md-button--primary }

 We recommend storing a local recovery key in a secure place as opposed to utilizing iCloud FileVault recovery. As well, FileVault should be enabled **after** a complete macOS installation as more pseudorandom number generator ([PRNG](https://support.apple.com/guide/security/random-number-generation-seca0c73a75b/web)) [entropy](https://en.wikipedia.org/wiki/Entropy_(computing)) will be available.

@ -141,7 +141,7 @@ We recommend storing a local recovery key in a secure place as opposed to utiliz

    **LUKS** is the default FDE method for Linux. It can be used to encrypt full volumes, partitions, or create encrypted containers.

-    [Visit gitlab.com](https://gitlab.com/cryptsetup/cryptsetup){ .md-button .md-button--primary }
+    [Project Wiki](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home){ .md-button .md-button--primary }

 ??? example "Creating and opening encrypted containers"

@ -157,7 +157,7 @@ We recommend storing a local recovery key in a secure place as opposed to utiliz
    udisksctl unlock -b /dev/loop0
    ```

-!!! Warning "Remember to back up volume headers"
+!!! note "Remember to back up volume headers"

    We recommend you always [back up your LUKS headers](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) in case of partial drive failure. This can be done with:

@ -178,7 +178,7 @@ Browser-based encryption can be useful when you need to encrypt a file but canno

    **Hat.sh** is a web application that provides secure client-side file encryption in your browser. It can also be self-hosted and is useful if you need to encrypt a file but cannot install any software on your device due to organizational policies.

-    [Visit hat.sh](https://hat.sh){ .md-button .md-button--primary }
+    [Homepage](https://hat.sh){ .md-button .md-button--primary }

    ??? downloads

@ -196,7 +196,7 @@ Tools with command-line interfaces are useful for intergrating [shell scripts](h

    **Kryptor** is a free and open source file encryption and signing tool that makes use of modern and secure cryptographic algorithms. It aims to be a better version of [age](https://github.com/FiloSottile/age) and [Minisign](https://jedisct1.github.io/minisign/) to provide a simple, user friendly alternative to GPG.

-    [Visit kryptor.co.uk](https://www.kryptor.co.uk){ .md-button .md-button--primary } [Privacy Policy](https://www.kryptor.co.uk/features#privacy){ .md-button }
+    [Homepage](https://www.kryptor.co.uk){ .md-button .md-button--primary } [Privacy Policy](https://www.kryptor.co.uk/features#privacy){ .md-button }

    ??? downloads

@ -213,7 +213,7 @@ Tools with command-line interfaces are useful for intergrating [shell scripts](h

    **Tomb** is an is a command-line shell wrapper for LUKS. It supports steganography via [third-party tools](https://github.com/dyne/Tomb#how-does-it-work).

-    [Visit dyne.org](https://www.dyne.org/software/tomb){ .md-button .md-button--primary }
+    [Homepage](https://www.dyne.org/software/tomb){ .md-button .md-button--primary }

    ??? downloads

@ -221,11 +221,11 @@ Tools with command-line interfaces are useful for intergrating [shell scripts](h

 ## OpenPGP

-[OpenPGP](https://en.wikipedia.org/wiki/Pretty_Good_Privacy#OpenPGP) is sometimes needed for specific tasks such as digitally signing and encrypting email. PGP has many features and is [complex](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) as it has been around a long time. For tasks such as signing or encrypting files, we suggest the above options.
+OpenPGP is sometimes needed for specific tasks such as digitally signing and encrypting email. PGP has many features and is [complex](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) as it has been around a long time. For tasks such as signing or encrypting files, we suggest the above options.

 When encrypting with PGP, the user has the option to configure different options in their `gpg.conf` file. We recommend staying with the standard options specified in the [GnuPG user FAQ](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf).

-??? tip "Use future defaults when generating a key"
+!!! tip "Use future defaults when generating a key"

    When [generating keys](https://www.gnupg.org/gph/en/manual/c14.html) we suggest using the `future-default` command as this will instruct GnuPG use modern cryptography such as [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) and [Ed25519](https://ed25519.cr.yp.to/):

@ -241,7 +241,7 @@ When encrypting with PGP, the user has the option to configure different options

    **GnuPG** is a GPL-licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with [RFC 4880](https://tools.ietf.org/html/rfc4880), which is the current IETF specification of OpenPGP. The GnuPG project has been working on an [updated draft](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) in an attempt to modernize OpenPGP. GnuPG is a part of the Free Software Foundation's GNU software project and has received major [funding](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) from the German government.

-    [Visit gnupg.org](https://gnupg.org){ .md-button .md-button--primary } [Privacy Policy](https://gnupg.org/privacy-policy.html){ .md-button }
+    [Homepage](https://gnupg.org){ .md-button .md-button--primary } [Privacy Policy](https://gnupg.org/privacy-policy.html){ .md-button }

    ??? downloads

@ -259,7 +259,7 @@ When encrypting with PGP, the user has the option to configure different options

    **GPG4win** is a package for Windows from [Intevation and g10 Code](https://gpg4win.org/impressum.html). It includes [various tools](https://gpg4win.org/about.html) that assist PGP users on Microsoft Windows. The project was initiated and originally [funded by](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) Germany's Federal Office for Information Security (BSI) in 2005.

-    [Visit gpg4win.org](https://gpg4win.org){ .md-button .md-button--primary } [Privacy Policy](https://gpg4win.org/privacy-policy.html){ .md-button }
+    [Homepage](https://gpg4win.org){ .md-button .md-button--primary } [Privacy Policy](https://gpg4win.org/privacy-policy.html){ .md-button }

    ??? downloads

@ -268,6 +268,10 @@ When encrypting with PGP, the user has the option to configure different options

 ### GPG Suite

+!!! note
+
+    We suggest [Canary Mail](email-clients/#canary-mail) for using PGP with email on iOS devices.
+
 !!! recommendation

    ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ align=right }
@ -276,17 +280,13 @@ When encrypting with PGP, the user has the option to configure different options

    We recommend taking a look at their [First steps](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email) and [Knowledge base](https://gpgtools.tenderapp.com/kb) for support.

-    [Visit gpgtools.org](https://gpgtools.org){ .md-button .md-button--primary } [Privacy Policy](https://gpgtools.org/privacy){ .md-button }
+    [Homepage](https://gpgtools.org){ .md-button .md-button--primary } [Privacy Policy](https://gpgtools.org/privacy){ .md-button }

    ??? downloads

        - [:fontawesome-brands-apple: macOS](https://gpgtools.org)
        - [:fontawesome-brands-git: Source](https://github.com/GPGTools)

-!!! note
-
-    We suggest [Canary Mail](email-clients/#canary-mail) for using PGP with email on iOS devices.
-
 ### OpenKeychain

 !!! recommendation
@ -295,7 +295,7 @@ When encrypting with PGP, the user has the option to configure different options

    **OpenKeychain** is an Android implementation of GnuPG. It's commonly required by mail clients such as [K-9 Mail](email-clients.md#k-9-mail) and [FairEmail](email-clients.md#fairemail) and other Android apps to provide encryption support. Cure53 completed a [security audit](https://www.openkeychain.org/openkeychain-3-6) of OpenKeychain 3.6 in October 2015. Technical details about the audit and OpenKeychain's solutions can be found [here](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015).

-    [Visit openkeychain.org](https://www.openkeychain.org){ .md-button .md-button--primary } [Privacy Policy](https://www.openkeychain.org/help/privacy-policy){ .md-button }
+    [Homepage](https://www.openkeychain.org){ .md-button .md-button--primary } [Privacy Policy](https://www.openkeychain.org/help/privacy-policy){ .md-button }

    ??? downloads

--- a/docs/file-sharing.en.md
+++ b/docs/file-sharing.en.md
@ -14,7 +14,7 @@ Discover how to privately share your files between your devices, with your frien

    **OnionShare** is an open-source tool that lets you securely and anonymously share a file of any size. It works by starting a web server accessible as a Tor onion service, with an unguessable URL that you can share with the recipients to download or send files.

-    [Visit onionshare.org](https://onionshare.org){ .md-button .md-button--primary } [:pg-tor:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .md-button }
+    [Homepage](https://onionshare.org){ .md-button .md-button--primary } [:pg-tor:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .md-button }

    ??? downloads

@ -31,7 +31,7 @@ Discover how to privately share your files between your devices, with your frien

    Magic Wormhole is a package that provides a library and a command-line tool named wormhole, which makes it possible to get arbitrary-sized files and directories (or short pieces of text) from one computer to another. Their motto: "Get things from one computer to another, safely.

-    [Visit magic-wormhole.readthedocs.io](https://magic-wormhole.readthedocs.io){ .md-button .md-button--primary }
+    [Homepage](https://magic-wormhole.readthedocs.io){ .md-button .md-button--primary }

    ??? downloads

@ -48,7 +48,7 @@ Discover how to privately share your files between your devices, with your frien

    **FreedomBox** is a operating system designed to be run on a [single-board computer (SBC)](https://en.wikipedia.org/wiki/Single-board_computer). The purpose is to make it easy to set up server applications that you might want to selfhost.

-    [Visit freedombox.org](https://freedombox.org){ .md-button .md-button--primary }
+    [Homepage](https://freedombox.org){ .md-button .md-button--primary }

    ??? downloads

@ -64,7 +64,7 @@ Discover how to privately share your files between your devices, with your frien

    **Syncthing** replaces proprietary sync and cloud services with something open, trustworthy, and decentralized. Your data is your data alone and you deserve to choose where it is stored, if it is shared with some third-party, and how it is transmitted over the Internet.

-    [Visit syncthing.net](https://syncthing.net){ .md-button .md-button--primary }
+    [Homepage](https://syncthing.net){ .md-button .md-button--primary }

    ??? downloads

@ -81,7 +81,7 @@ Discover how to privately share your files between your devices, with your frien

    **git-annex** allows managing files with git, without checking the file contents into git. While that may seem paradoxical, it is useful when dealing with files larger than git can currently easily handle, whether due to limitations in memory, time, or disk space.

-    [Visit git-annex.branchable.com](https://git-annex.branchable.com){ .md-button .md-button--primary } [Privacy Policy](https://git-annex.branchable.com/privacy){ .md-button }
+    [Homepage](https://git-annex.branchable.com){ .md-button .md-button--primary } [Privacy Policy](https://git-annex.branchable.com/privacy){ .md-button }

    ??? downloads

--- a/docs/linux-desktop.en.md
+++ b/docs/linux-desktop.en.md
@ -18,9 +18,9 @@ If you don't already use Linux, below are some distributions we suggest trying o

    **Fedora Workstation** is our recommended distribution for users new to Linux. Fedora generally adopts newer technologies before other distributions e.g., [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org), and soon, [FS-Verity](https://fedoraproject.org/wiki/Changes/FsVerityRPM). These new technologies often come with improvements in security, privacy, and usability in general.

-    [Visit getfedora.org](https://getfedora.org/){ .md-button .md-button--primary }
+    [Homepage](https://getfedora.org/){ .md-button .md-button--primary }

-Fedora has a semi-[rolling release](https://en.wikipedia.org/wiki/Rolling_release) cycle. While some packages like [GNOME](https://www.gnome.org) are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months.
+Fedora has a semi-rolling release cycle. While some packages like [GNOME](https://www.gnome.org) are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months.

 ### openSUSE Tumbleweed

@ -28,11 +28,11 @@ Fedora has a semi-[rolling release](https://en.wikipedia.org/wiki/Rolling_releas

    ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right }

-    **openSUSE Tumbleweed** is a stable [rolling release](https://en.wikipedia.org/wiki/Rolling_release) distribution.
+    **openSUSE Tumbleweed** is a stable rolling release distribution.

    openSUSE Tumbleweed has a [transactional update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) system that uses [Btrfs](https://en.wikipedia.org/wiki/Btrfs) and [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) to ensure that snapshots can be rolled back should there be a problem.

-    [Visit get.opensuse.org](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary }
+    [Homepage](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary }

 Tumbleweed follows a rolling release model where each update is released as a snapshot of the distribution. When the user upgrades their system, a new snapshot is downloaded. Each snapshot is run through a series of automated tests by [openQA](https://openqa.opensuse.org) to ensure its quality.

@ -44,7 +44,7 @@ Tumbleweed follows a rolling release model where each update is released as a sn

    **Arch Linux** is a lightweight, do-it-yourself (DIY) distribution meaning that you only get what you install. For more information see their [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions).

-    [Visit archlinux.org](https://archlinux.org/){ .md-button .md-button--primary }
+    [Homepage](https://archlinux.org/){ .md-button .md-button--primary }

 Arch Linux has a rolling release cycle. There is no fixed release schedule and packages are updated very frequently.

@ -62,7 +62,7 @@ A large portion of [Arch Linux’s packages](https://reproducible.archlinux.org)

    **Fedora Silverblue** and **Fedora Kinoite** are immutable variants of Fedora with a strong focus on container workflows. Silverblue comes with the [GNOME](https://www.gnome.org/) desktop environment while Kinoite comes with [KDE](https://kde.org/). Silverblue and Kinoite follow the same release schedule as Fedora Workstation, benefiting from the same fast updates and staying very close to upstream.

-    [Visit silverblue.fedoraproject.org](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary }
+    [Homepage](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary }

 Silverblue (and Kinoite) differ from Fedora Workstation as they replace the [DNF](https://fedoraproject.org/wiki/DNF) package manager with a much more advanced alternative called [`rpm-ostree`](https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/package-management/rpm-ostree/). The `rpm-ostree` package manager works by downloading a base image for the system, then overlaying packages over it in a [git](https://en.wikipedia.org/wiki/Git)-like commit tree. When the system is updated, a new base image is downloaded and the overlays will be applied to that new image.

@ -80,7 +80,7 @@ As an alternative to Flatpaks, there is the option of [Toolbox](https://docs.fed

    NixOS is an independent distribution based on the Nix package manager with a focus on reproducibility and reliability.

-    [Visit nixos.org](https://nixos.org/){ .md-button .md-button--primary }
+    [Homepage](https://nixos.org/){ .md-button .md-button--primary }

 NixOS’s package manager keeps every version of every package in a different folder in the **Nix store**. Due to this you can have different versions of the same package installed on your system. After the package contents have been written to the folder, the folder is made read-only.

@ -102,7 +102,7 @@ Nix is a source-based package manager; if there’s no pre-built available in th

    **Whonix** is based on [Kicksecure](https://www.whonix.org/wiki/Kicksecure), a security-focused fork of Debian. It aims to provide privacy, security, and anonymity on the internet.

-    [Visit whonix.org](https://www.whonix.org/){ .md-button .md-button--primary }
+    [Homepage](https://www.whonix.org/){ .md-button .md-button--primary }

 Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway”. All communications from the Workstation has to go through the Tor gateway, and will be routed through the Tor Network.

@ -122,7 +122,7 @@ Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qube

    It can boot on almost any computer from a DVD, USB stick, or SD card. It aims to preserve privacy and anonymity while circumventing censorship and leaving no trace of itself on the computer it is used on.

-    [Visit tails.boum.org](https://tails.boum.org/){ .md-button .md-button--primary }
+    [Homepage](https://tails.boum.org/){ .md-button .md-button--primary }

 By design, Tails is meant to completely reset itself after each reboot. Encrypted [persistent storage](https://tails.boum.org/doc/first_steps/persistence/index.en.html) can be configured to store some data.

@ -130,15 +130,15 @@ By design, Tails is meant to completely reset itself after each reboot. Encrypte

 ### Drive Encryption

-Most Linux distributions have an installer option for enabling [LUKS](https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup) FDE upon installation.
+Most Linux distributions have an installer option for enabling LUKS FDE upon installation.

-If this option isn’t set at installation time, the user will have to backup their data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning) but before [file systems](https://en.wikipedia.org/wiki/File_system) are [formatted](https://en.wikipedia.org/wiki/Disk_formatting).
+If this option isn’t set at installation time, the user will have to backup their data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning), but before [file systems](https://en.wikipedia.org/wiki/File_system) are formatted.

-When securely erasing storage devices such as a [Solid-state drive (SSD)](https://en.wikipedia.org/wiki/Solid-state_drive) you should use the [ATA Secure Erase](https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase) command. This command can be issued from your UEFI setup. If the storage device is a regular [hard drive](https://en.wikipedia.org/wiki/Hard_disk_drive), consider using [`nwipe`](https://en.wikipedia.org/wiki/Nwipe).
+When securely erasing storage devices such as a Solid-state drive (SSD) you should use the [ATA Secure Erase](https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase) command. This command can be issued from your UEFI setup. If the storage device is a regular hard drive (HDD), consider using [`nwipe`](https://en.wikipedia.org/wiki/Nwipe).

 ### Swap

-Consider using [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) or [encrypted swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to [swap space](https://en.wikipedia.org/wiki/Memory_paging). Fedora based distributions [use ZRAM](https://fedoraproject.org/wiki/Changes/SwapOnZRAM) by default.
+Consider using [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) or [encrypted swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to [swap space](https://en.wikipedia.org/wiki/Memory_paging). Fedora based distributions [use ZRAM by default](https://fedoraproject.org/wiki/Changes/SwapOnZRAM).

 ### Wayland

@ -170,11 +170,11 @@ There isn’t much point in randomizing the MAC address for Ethernet connections

 ### Other Identifiers

-There are other system [identifiers](https://madaidans-insecurities.github.io/guides/linux-hardening.html#identifiers) which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](threat-modeling.md):
+There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](threat-modeling.md):

- [10.1 Hostnames and usernames](https://madaidans-insecurities.github.io/guides/linux-hardening.html#hostnames)
- [10.2 Time zones / Locales / Keymaps](https://madaidans-insecurities.github.io/guides/linux-hardening.html#timezones-locales-keymaps)
- [10.3 Machine ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id)
+- **Hostnames:** Your system's hostname is shared with the networks you connect to. You should avoid including identifying terms like your name or operating system in your hostname, instead sticking to generic terms or random strings.
+- **Usernames:** Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name.
+- **Machine ID:**: During installation a unique machine ID is generated and stored on your device. Consider [setting it to a generic ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id).

 ### System Counting

@ -183,3 +183,5 @@ The Fedora Project [counts](https://fedoraproject.org/wiki/Changes/DNF_Better_Co
 This [option](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) is currently off by default. We recommend adding `countme=false` to `/etc/dnf/dnf.conf` just in case it is enabled in the future. On systems that use `rpm-ostree` such as Silverblue, the countme option is disabled by masking the [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) timer.

 openSUSE also uses a [unique ID](https://en.opensuse.org/openSUSE:Statistics) to count systems, which can be disabled by deleting the `/var/lib/zypp/AnonymousUniqueId` file.
+
+--8<-- "includes/abbreviations.en.md"
--- a/docs/linux-desktop/hardening.en.md
+++ b/docs/linux-desktop/hardening.en.md
@ -24,9 +24,9 @@ If you are using non-classic [Snap](https://en.wikipedia.org/wiki/Snap_(package_

 There are some additional kernel hardening options such as configuring [sysctl](https://en.wikipedia.org/wiki/Sysctl#Linux) keys and [kernel command-line parameters](https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html) which are described in the following pages. We don’t recommend you change these options unless you learn about what they do.

- [2.2 Sysctl](https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl)
- [2.3 Boot parameters](https://madaidans-insecurities.github.io/guides/linux-hardening.html#boot-parameters)
- [2.5 Kernel attack surface reduction](https://madaidans-insecurities.github.io/guides/linux-hardening.html#kernel-attack-surface-reduction)
+- [Recommended sysctl settings](https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl)
+- [Recommended boot parameters](https://madaidans-insecurities.github.io/guides/linux-hardening.html#boot-parameters)
+- [Additional recommendations to reduce the kernel's attack surface](https://madaidans-insecurities.github.io/guides/linux-hardening.html#kernel-attack-surface-reduction)

 Note that setting `kernel.unprivileged_userns_clone=0` will stop Flatpak, Snap (that depend on browser-sandbox), Electron based AppImages, Podman, Docker, and LXC containers from working. Do **not** set this flag if you are using container products.

@ -54,7 +54,7 @@ If you use [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/tool

 ## Linux Pluggable Authentication Modules (PAM)

-There is also further hardening to [PAM](https://en.wikipedia.org/wiki/Linux_PAM) to secure authentication to your system. [14. PAM](https://madaidans-insecurities.github.io/guides/linux-hardening.html#pam) has some tips on this.
+There is also further hardening to [PAM](https://en.wikipedia.org/wiki/Linux_PAM) to secure authentication to your system. [This guide](https://madaidans-insecurities.github.io/guides/linux-hardening.html#pam) has some tips on this.

 On Red Hat distributions you can use [`authselect`](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_authentication_and_authorization_in_rhel/configuring-user-authentication-using-authselect_configuring-authentication-and-authorization-in-rhel) to configure this e.g.:

@ -72,7 +72,7 @@ Another alternative option if you’re using the [linux-hardened](#linux-hardene

 ## Secure Boot

-[Secure Boot](https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#Secure_Boot) can be used to secure the boot process by preventing the loading of [unsigned](https://en.wikipedia.org/wiki/Public-key_cryptography) [UEFI](https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface) drivers or [boot loaders](https://en.wikipedia.org/wiki/Bootloader). Some guidance for this is provided in [21. Physical security](https://madaidans-insecurities.github.io/guides/linux-hardening.html#physical-security) and [21.4 Verified boot](https://madaidans-insecurities.github.io/guides/linux-hardening.html#verified-boot).
+[Secure Boot](https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#Secure_Boot) can be used to secure the boot process by preventing the loading of [unsigned](https://en.wikipedia.org/wiki/Public-key_cryptography) [UEFI](https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface) drivers or [boot loaders](https://en.wikipedia.org/wiki/Bootloader). Some guidance for this is provided in [this physical security guide](https://madaidans-insecurities.github.io/guides/linux-hardening.html#physical-security) and [this verified boot guide](https://madaidans-insecurities.github.io/guides/linux-hardening.html#verified-boot).

 For further resources on Secure Boot we suggest taking a look at the following for instructional advice:

@ -89,7 +89,7 @@ One of the problems with Secure Boot particularly on Linux is that only the [cha

 - Creating an [EFI Boot Stub](https://docs.kernel.org/admin-guide/efi-stub.html) that contains the [kernel](https://en.wikipedia.org/wiki/Kernel_(operating_system)), [initramfs](https://en.wikipedia.org/wiki/Initial_ramdisk) and [microcode](https://en.wikipedia.org/wiki/Microcode). This EFI stub can then be signed. If you use [dracut](https://en.wikipedia.org/wiki/Dracut_(software)) this can easily be done with the [`--uefi-stub` switch](https://man7.org/linux/man-pages/man8/dracut.8.html) or the [`uefi_stub` config](https://www.man7.org/linux/man-pages/man5/dracut.conf.5.html) option.
 - [Encrypting the boot partition](https://wiki.archlinux.org/title/GRUB#Encrypted_/boot). However, this has its own issues, the first being that [GRUB](https://en.wikipedia.org/wiki/GNU_GRUB) only supports [LUKS1](https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup) and not the newer default LUKS2 scheme. As the bootloader runs in [protected mode](https://en.wikipedia.org/wiki/Protected_mode) and the encryption module lacks [SSE acceleration](https://en.wikipedia.org/wiki/Streaming_SIMD_Extensions) the boot process will take minutes to complete.
- Using [TPM](https://en.wikipedia.org/wiki/Trusted_Platform_Module) to perform a [measured boot](https://www.krose.org/~krose/measured_boot).
+- Using TPM to perform a [measured boot](https://www.krose.org/~krose/measured_boot).

 After setting up Secure Boot it is crucial that you set a “firmware password” (also called a “supervisor password, “BIOS password” or “UEFI password”), otherwise an adversary can simply disable Secure Boot.

--- a/docs/linux-desktop/overview.en.md
+++ b/docs/linux-desktop/overview.en.md
@ -22,7 +22,7 @@ Our website generally uses the term “Linux” to describe desktop GNU/Linux di

 ## Release cycle

-We highly recommend that you choose distributions which stay close to the stable upstream software releases. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates.
+We highly recommend that you choose distributions which stay close to the stable upstream software releases, often referred to as rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates.

 For frozen distributions, package maintainers are expected to backport patches to fix vulnerabilities (Debian is one such [example](https://www.debian.org/security/faq#handling)) rather than bump the software to the “next version” released by the upstream developer. Some security fixes [do not](https://arxiv.org/abs/2105.14565) receive a [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release.

--- a/docs/linux-desktop/sandboxing.en.md
+++ b/docs/linux-desktop/sandboxing.en.md
@ -24,9 +24,9 @@ Hard-coded access to some kernel interfaces like [`/sys`](https://en.wikipedia.o

 ### Firejail

-[Firejail](https://firejail.wordpress.com/) is another method of sandboxing. As it is a large [setuid](https://en.wikipedia.org/wiki/Setuid) binary, it has a large [attack surface](https://en.wikipedia.org/wiki/Attack_surface) which may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation).
+[Firejail](https://firejail.wordpress.com/) is another method of sandboxing. As it is a large [setuid](https://en.wikipedia.org/wiki/Setuid) binary, it has a large attack surface which may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation).

-The main risk is that Firejail may make the system safer from processes confined by it, but make it also less safe from processes running outside of Firejail. We [don’t recommend](https://madaidans-insecurities.github.io/linux.html#firejail) the use of Firejail.
+[This post from a Whonix security researcher](https://madaidans-insecurities.github.io/linux.html#firejail) provides additional details on how Firejail can worsen the security of your device.

 ### Mandatory Access Control

@ -55,7 +55,7 @@ For advanced users, you can make your own AppArmor profiles, SELinux policies, B

 If you’re running a server you may have heard of Linux Containers, Docker, or Podman which refer to a kind of [OS-level virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization). Containers are more common in server and development environments where individual apps are built to operate independently.

-[Docker](https://en.wikipedia.org/wiki/Docker_(software)) is one of the most common container solutions. It does not run a proper sandbox, and this means that there is a large kernel [attack surface](https://en.wikipedia.org/wiki/Attack_surface). The [daemon](https://en.wikipedia.org/wiki/Daemon_(computing)) controls everything and [typically](https://docs.docker.com/engine/security/rootless/#known-limitations) runs as root. If it crashes for some reason, all the containers will crash too. The [gVisor](https://en.wikipedia.org/wiki/GVisor) runtime which implements an application level kernel can help limit the number of [syscalls](https://en.wikipedia.org/wiki/System_call) an application can make and can help isolate it from the host’s [kernel](https://en.wikipedia.org/wiki/Kernel_(operating_system)).
+[Docker](https://en.wikipedia.org/wiki/Docker_(software)) is one of the most common container solutions. It does not run a proper sandbox, and this means that there is a large kernel attack surface. The [daemon](https://en.wikipedia.org/wiki/Daemon_(computing)) controls everything and [typically](https://docs.docker.com/engine/security/rootless/#known-limitations) runs as root. If it crashes for some reason, all the containers will crash too. The [gVisor](https://en.wikipedia.org/wiki/GVisor) runtime which implements an application level kernel can help limit the number of [syscalls](https://en.wikipedia.org/wiki/System_call) an application can make and can help isolate it from the host’s [kernel](https://en.wikipedia.org/wiki/Kernel_(operating_system)).

 Red Hat develops [Podman](https://docs.podman.io/en/latest/) and secures it with SELinux to [isolate](https://www.redhat.com/sysadmin/apparmor-selinux-isolation) containers from each other. One of the notable differences between Docker and Podman is that Docker requires [root](https://en.wikipedia.org/wiki/Superuser) while Podman can run with [rootless containers](https://developers.redhat.com/blog/2020/09/25/rootless-containers-with-podman-the-basics) that are also [daemonless](https://developers.redhat.com/blog/2018/08/29/intro-to-podman), meaning if one crashes they don’t all come down.

--- a/docs/metadata-removal-tools.en.md
+++ b/docs/metadata-removal-tools.en.md
@ -16,7 +16,7 @@ When sharing files, be sure to remove associated metadata. Image files commonly

    For Linux users, a third party graphical tool [Metadata Cleaner](https://gitlab.com/rmnvgr/metadata-cleaner) powered by MAT2 exists and is [available on Flathub](https://flathub.org/apps/details/fr.romainvigier.MetadataCleaner).

-    [Visit 0xacab.org](https://0xacab.org/jvoisin/mat2){ .md-button .md-button--primary }
+    [Homepage](https://0xacab.org/jvoisin/mat2){ .md-button .md-button--primary }

    ??? downloads

@ -34,7 +34,7 @@ When sharing files, be sure to remove associated metadata. Image files commonly

    **ExifCleaner** is a freeware, open source graphical app that uses [ExifTool](https://exiftool.org) to remove Exif metadata from images, videos, and PDF documents using a simple drag and drop interface. It supports multi-core batch processing and dark mode.

-    [Visit exifcleaner.com](https://exifcleaner.com){ .md-button .md-button--primary }
+    [Homepage](https://exifcleaner.com){ .md-button .md-button--primary }

    ??? downloads

@ -53,7 +53,7 @@ When sharing files, be sure to remove associated metadata. Image files commonly

    **Scrambled Exif** is a metadata removal tool for Android. It can remove Exif data for many file formats and has been translated into [many](https://gitlab.com/juanitobananas/scrambled-exif/-/tree/master/app/src/main/res) languages.

-    [Visit gitlab.com](https://gitlab.com/juanitobananas/scrambled-exif){ .md-button .md-button--primary }
+    [Project Info](https://gitlab.com/juanitobananas/scrambled-exif#scrambled-exif){ .md-button .md-button--primary }

    ??? downloads

@ -69,36 +69,33 @@ When sharing files, be sure to remove associated metadata. Image files commonly

    **Imagepipe** is a a paint app for Android that can be used to redact photos and also delete Exif metadata. It has been translated into [many](https://codeberg.org/Starfish/Imagepipe#translations) languages.

-    [Visit codeberg.org](https://codeberg.org/Starfish/Imagepipe){ .md-button .md-button--primary }
+    [Project Info](https://codeberg.org/Starfish/Imagepipe#imagepipe){ .md-button .md-button--primary }

    ??? downloads

        - [:pg-f-droid: F-Droid](https://f-droid.org/en/packages/de.kaffeemitkoffein.imagepipe/)
        - [:fontawesome-brands-git: Source](https://codeberg.org/Starfish/Imagepipe)

-!!! info
-
-    Imagepipe is only available from F-Droid and not in Google Play. If you're looking for a paint app in Google Play we suggest [Pocket Paint](https://play.google.com/store/apps/details?id=org.catrobat.paintroid).
+Imagepipe is only available from F-Droid and not in Google Play. If you're looking for a paint app in Google Play we suggest [Pocket Paint](https://play.google.com/store/apps/details?id=org.catrobat.paintroid).

 ### Metapho

+!!! attention
+
+    Metapho is closed source. We recommend it, due to the few choices there are for iOS devices.
+
 !!! recommendation

    ![Metapho logo](assets/img/metadata-removal/metapho.jpg){ align=right }

    Metapho is a simple and clean viewer for photo metadata such as date, file name, size, camera model, shutter speed, and location.

-    [Visit zininworks.com](https://zininworks.com/metapho){ .md-button .md-button--primary } [Privacy Policy](https://zininworks.com/privacy/){ .md-button }
+    [Homepage](https://zininworks.com/metapho){ .md-button .md-button--primary } [Privacy Policy](https://zininworks.com/privacy/){ .md-button }

    ??? downloads

        - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/metapho/id914457352)

-!!! attention
-
-    Metapho is closed source. We recommend it, due to the few choices there are for iOS devices.
-
-
 ## Command-line

 ### ExifTool
@ -111,7 +108,7 @@ When sharing files, be sure to remove associated metadata. Image files commonly

    It's often a component of other Exif removal applications and is in most Linux distribution repositories.

-    [Visit exiftool.org](https://exiftool.org){ .md-button .md-button--primary }
+    [Homepage](https://exiftool.org){ .md-button .md-button--primary }

    ??? downloads

@ -122,7 +119,7 @@ When sharing files, be sure to remove associated metadata. Image files commonly
        - [:fontawesome-brands-github: Source](https://github.com/exiftool/exiftool)


-??? example "Deleting data from a directory of files"
+!!! example "Deleting data from a directory of files"

    ```bash
    exiftool -all= *.file_extension
--- a/docs/multi-factor-authentication.en.md
+++ b/docs/multi-factor-authentication.en.md
@ -14,7 +14,7 @@ icon: 'material/two-factor-authentication'

    One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://www.yubico.com/quiz/) before purchasing in order to make sure you make the right choice.

-    [Visit yubico.com](https://www.yubico.com){ .md-button .md-button--primary } [Privacy Policy](https://www.yubico.com/support/terms-conditions/privacy-notice){ .md-button }
+    [Website](https://www.yubico.com){ .md-button .md-button--primary } [Privacy Policy](https://www.yubico.com/support/terms-conditions/privacy-notice){ .md-button }

 The [comparison table](https://www.yubico.com/store/compare/) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series.

@ -33,7 +33,7 @@ For models which support HOTP and TOTP, there are 2 slots in the OTP interface w

    **Nitrokey** has a security key capable of [FIDO2 and WebAuthn](security/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.

-    [Visit nitrokey.com](https://www.nitrokey.com){ .md-button .md-button--primary } [Privacy Policy](https://www.nitrokey.com/data-privacy-policy){ .md-button }
+    [Website](https://www.nitrokey.com){ .md-button .md-button--primary } [Privacy Policy](https://www.nitrokey.com/data-privacy-policy){ .md-button }

 The [comparison table](https://www.nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.

@ -41,18 +41,18 @@ Nitrokey models can be configured using the [Nitrokey app](https://www.nitrokey.

 For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.

- The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/) firmware. Purism's [Librem Key](https://puri.sm/products/librem-key/) is a rebranded NitroKey Pro 2 with similar firmware and can also be used for the same purposes.
-
- The Nitrokey has an open source firmware, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable.
-
 !!! warning

    While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks.

-!!! attention
+!!! warning

    Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/factory-reset.html).

+ The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/) firmware. Purism's [Librem Key](https://puri.sm/products/librem-key/) is a rebranded NitroKey Pro 2 with similar firmware and can also be used for the same purposes.
+
+ The Nitrokey has an open source firmware, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable.
+
 !!! tip

    The Nitrokey app, while compatible with Librem Keys, requires `libnitrokey` version 3.6 or above to recognize them. Currently, the package is outdated on Windows, macOS, and most Linux distributions' repository, so you will likely have to compile the Nitrokey app yourself to get it working with the Librem Key. On Linux, you can obtain an up-to-date version from [Flathub](https://flathub.org/apps/details/com.nitrokey.nitrokey-app).
@ -71,7 +71,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative

    **Aegis Authenticator** is a free, secure and open source app to manage your 2-step verification tokens for your online services.

-    [Visit getaegis.app](https://getaegis.app){ .md-button .md-button--primary } [Privacy Policy](https://getaegis.app/aegis/privacy.html){ .md-button }
+    [Homepage](https://getaegis.app){ .md-button .md-button--primary } [Privacy Policy](https://getaegis.app/aegis/privacy.html){ .md-button }

    ??? downloads

@ -87,7 +87,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative

    **Raivo OTP** is a native, lightweight and secure time-based (TOTP) & counter-based (HOTP) password client for iOS. Raivo OTP offers optional iCloud backup & sync. Raivo OTP is also available for macOS in the form of a status bar application, however the Mac app does not work independently of the iOS app.

-    [Visit github.com](https://github.com/raivo-otp/ios-application){ .md-button .md-button--primary } [Privacy Policy](https://github.com/raivo-otp/ios-application/blob/master/PRIVACY.md){ .md-button }
+    [Project Info](https://github.com/raivo-otp/ios-application#readme){ .md-button .md-button--primary } [Privacy Policy](https://github.com/raivo-otp/ios-application/blob/master/PRIVACY.md){ .md-button }

    ??? downloads

--- a/docs/news-aggregators.en.md
+++ b/docs/news-aggregators.en.md
@ -15,7 +15,7 @@ A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to k

    **Fluent Reader** is a secure cross-platform news aggregator that has useful privacy features such as deletion of cookies on exit, strict [content security policies (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) and proxy support, meaning you can use it over [Tor](self-contained-networks.md#tor).

-    [Visit hyliu.me](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } [Privacy Policy](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .md-button }
+    [Homepage](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } [Privacy Policy](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .md-button }

    ??? downloads

@ -31,7 +31,7 @@ A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to k

    **GNOME Feeds** is an [RSS](https://en.wikipedia.org/wiki/RSS) and [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) news reader for [GNOME](https://www.gnome.org). It has a simple interface and is quite fast.

-    [Visit gfeeds.gabmus.org](https://gfeeds.gabmus.org){ .md-button .md-button--primary }
+    [Homepage](https://gfeeds.gabmus.org){ .md-button .md-button--primary }

    ??? downloads

@ -47,7 +47,7 @@ A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to k

    **Akregator** is a news feed reader that is a part of the [KDE](https://kde.org) project. It comes with a fast search, advanced archiving functionality and an internal browser for easy news reading.

-    [Visit kde.org](https://apps.kde.org/akregator){ .md-button .md-button--primary } [Privacy Policy](https://kde.org/privacypolicy-apps){ .md-button }
+    [Website](https://apps.kde.org/akregator){ .md-button .md-button--primary } [Privacy Policy](https://kde.org/privacypolicy-apps){ .md-button }

    ??? downloads

@ -62,7 +62,7 @@ A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to k

    **Handy News Reader** is a fork of [Flym](https://github.com/FredJul/Flym) that has many [features](https://github.com/yanus171/Handy-News-Reader#features) and works well with folders of RSS feeds. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) and [RDF](https://en.wikipedia.org/wiki/RDF%2FXML).

-    [Visit yanus171.github.io](https://yanus171.github.io/Handy-News-Reader/){ .md-button .md-button--primary }
+    [Homepage](https://yanus171.github.io/Handy-News-Reader/){ .md-button .md-button--primary }

    ??? downloads

@ -78,7 +78,7 @@ A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to k

    **NetNewsWire** a free and open-source feed reader for macOS and iOS with a focus on a native design and feature set. It supports the typical feed formats alongside built-in support for Twitter and Reddit feeds.

-    [Visit netnewswire.com](https://netnewswire.com/){ .md-button .md-button--primary } [Privacy Policy](https://netnewswire.com/privacypolicy){ .md-button }
+    [Homepage](https://netnewswire.com/){ .md-button .md-button--primary } [Privacy Policy](https://netnewswire.com/privacypolicy){ .md-button }

    ??? downloads

@ -95,7 +95,7 @@ A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to k

    **Miniflux** is a web-based news aggregator that you can self-host. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed).

-    [Visit miniflux.app](https://miniflux.app){ .md-button .md-button--primary }
+    [Homepage](https://miniflux.app){ .md-button .md-button--primary }

    ??? downloads

@ -109,7 +109,7 @@ A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to k

    **Newsboat** is an RSS/Atom feed reader for the text console. It's an actively maintained fork of [Newsbeuter](https://en.wikipedia.org/wiki/Newsbeuter). It is very lightweight, and ideal for use over [Secure Shell](https://en.wikipedia.org/wiki/Secure_Shell).

-    [Visit newsboat.org](https://newsboat.org){ .md-button .md-button--primary }
+    [Homepage](https://newsboat.org){ .md-button .md-button--primary }

    ??? downloads

@ -122,6 +122,7 @@ Some social media services also support RSS although it's not often advertised.
 ### YouTube

 You can subscribe YouTube channels without logging in and associating usage information with your Google Account.
+
 !!! example

    To subscribe to a YouTube channel with an RSS client, first look for your [channel code](https://support.google.com/youtube/answer/6180214), replace `channel_id` below:
--- a/docs/notebooks.en.md
+++ b/docs/notebooks.en.md
@ -17,7 +17,7 @@ If you are currently using an application like Evernote, Google Keep, or Microso

    **Joplin** is a free, open-source, and fully-featured note-taking and to-do application which can handle a large number of markdown notes organized into notebooks and tags. It offers E2EE and can sync through Nextcloud, Dropbox, and more. It also offers easy import from Evernote and plain-text notes.

-    [Visit joplinapp.org](https://joplinapp.org/){ .md-button .md-button--primary }
+    [Website](https://joplinapp.org/){ .md-button .md-button--primary }

    ??? downloads

@ -31,9 +31,7 @@ If you are currently using an application like Evernote, Google Keep, or Microso
        - [:pg-f-droid: F-Droid](https://f-droid.org/en/packages/net.cozic.joplin)
        - [:fontawesome-brands-github: GitHub](https://github.com/laurent22/joplin)

-!!! warning
-
-    Joplin does not support password/pin protection for the [application itself or individual notes/notebooks](https://github.com/laurent22/joplin/issues/289). Data is still encrypted in transit and at the sync location using your master key.
+Joplin does not support password/pin protection for the [application itself or individual notes/notebooks](https://github.com/laurent22/joplin/issues/289). Data is still encrypted in transit and at the sync location using your master key.

 ### Standard Notes

@ -43,7 +41,7 @@ If you are currently using an application like Evernote, Google Keep, or Microso

    Standard Notes is a simple and private notes app that makes your notes easy and available everywhere you are. It features E2EE on every platform, and a powerful desktop experience with themes and custom editors. It has also been [independently audited (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf).

-    [Visit standardnotes.com](https://standardnotes.com){ .md-button .md-button--primary }
+    [Website](https://standardnotes.com){ .md-button .md-button--primary }

    ??? downloads

@ -66,7 +64,7 @@ If you are currently using an application like Evernote, Google Keep, or Microso

    [etebase](https://docs.etebase.com), which is the foundation of EteSync, can also be used by other apps as a backend to store data end-to-end encrypted (E2EE).

-    [Visit etesync.com](https://www.etesync.com){ .md-button .md-button--primary }  [Privacy Policy](https://www.etesync.com/tos/#privacy){ .md-button }
+    [Website](https://www.etesync.com){ .md-button .md-button--primary }  [Privacy Policy](https://www.etesync.com/tos/#privacy){ .md-button }

    ??? downloads

@ -86,7 +84,7 @@ If you are currently using an application like Evernote, Google Keep, or Microso

    **Org-mode** is a [major mode](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) for GNU Emacs. Org-mode is for keeping notes, maintaining TODO lists, planning projects, and authoring documents with a fast and effective plain-text system. Synchronization is possible with [file synchronization](/software/file-sharing/#sync) tools.

-    [Visit orgmode.org](https://orgmode.org){ .md-button .md-button--primary }
+    [Homepage](https://orgmode.org){ .md-button .md-button--primary }

    ??? downloads

--- a/docs/passwords.en.md
+++ b/docs/passwords.en.md
@ -22,7 +22,7 @@ These password managers store the password database locally.

    **KeePassXC** is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, fully cross-platform and modern open-source password manager.

-    [Visit keepassxc.org](https://keepassxc.org){ .md-button .md-button--primary } [Privacy Policy](https://keepassxc.org/privacy){ .md-button }
+    [Homepage](https://keepassxc.org){ .md-button .md-button--primary } [Privacy Policy](https://keepassxc.org/privacy){ .md-button }

    ??? downloads

@ -34,9 +34,7 @@ These password managers store the password database locally.
        - [:fontawesome-brands-chrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk)
        - [:fontawesome-brands-github: Source](https://github.com/keepassxreboot/keepassxc)

-!!! warning
-
-    KeePassXC stores its export data as [CSV](https://en.wikipedia.org/wiki/Comma-separated_values) files. This may mean data loss if you import this file into another password manager. We advise you check each record manually.
+KeePassXC stores its export data as [CSV](https://en.wikipedia.org/wiki/Comma-separated_values) files. This may mean data loss if you import this file into another password manager. We advise you check each record manually.

 ### KeePassDX

@ -48,7 +46,7 @@ These password managers store the password database locally.

    For more details, we recommend looking at their [FAQ](https://github.com/Kunzisoft/KeePassDX/wiki/FAQ).

-    [Visit keepassdx.com](https://www.keepassdx.com){ .md-button .md-button--primary }
+    [Homepage](https://www.keepassdx.com){ .md-button .md-button--primary }

    ??? downloads

@ -68,7 +66,7 @@ These password managers sync up to a cloud server that may be self-hostable.

    **Bitwarden** is a free and open-source password manager. It aims to solve password management problems for individuals, teams, and business organizations. Bitwarden is among the easiest and safest solutions to store all of your logins and passwords while conveniently keeping them synced between all of your devices. If you don't want to use the Bitwarden cloud, you can easily host your own Bitwarden server.

-    [Visit bitwarden.com](https://bitwarden.com){ .md-button .md-button--primary } [Privacy Policy](https://bitwarden.com/privacy){ .md-button }
+    [Website](https://bitwarden.com){ .md-button .md-button--primary } [Privacy Policy](https://bitwarden.com/privacy){ .md-button }

    ??? downloads

@ -92,7 +90,7 @@ These password managers sync up to a cloud server that may be self-hostable.

    **Psono** is a free and open source password manager from Germany, with a focus on password management for teams. It can be [self-hosted](#password-management-servers). Psono supports secure sharing of passwords, files, bookmarks, and emails. All secrets are protected by a master password.

-    [Visit psono.com](https://psono.com){ .md-button .md-button--primary } [Privacy Policy](https://psono.com/privacy-policy){ .md-button }
+    [Website](https://psono.com){ .md-button .md-button--primary } [Privacy Policy](https://psono.com/privacy-policy){ .md-button }

    ??? downloads

@ -116,7 +114,7 @@ These products are self-hostable synchronization for cloud based password manage

    **Vaultwarden** is an alternative implementation of the Bitwarden server API written in Rust and compatible with upstream Bitwarden clients, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal.

-    [Visit github.com](https://github.com/dani-garcia/vaultwarden){ .md-button .md-button--primary }
+    [Project Info](https://github.com/dani-garcia/vaultwarden#readme){ .md-button .md-button--primary }

    ??? downloads

@ -131,7 +129,7 @@ These products are self-hostable synchronization for cloud based password manage

    Psono provides [extensive documentation](https://doc.psono.com/) for their product. The [web-client](https://doc.psono.com/admin/installation/install-webclient.html#installation-with-docker) for Psono can be self hosted; alternatively, you can choose the the full [Community Edition](https://doc.psono.com/admin/installation/install-server-ce.html) or the [Enterprise Edition](https://doc.psono.com/admin/installation/install-server-ee.html) with additional features.

-    [Visit gitlab.com](https://gitlab.com/psono/psono-server){ .md-button .md-button--primary } [Privacy Policy](https://psono.com/privacy-policy){ .md-button }
+    [Source Code](https://gitlab.com/psono/psono-server){ .md-button .md-button--primary } [Privacy Policy](https://psono.com/privacy-policy){ .md-button }

    ??? downloads

@ -150,7 +148,7 @@ These products are minimal password managers that can be used within scripting a

    **gopass** is a password manager for the command line written in Go. It works on all major desktop and server operating systems (Linux, MacOS, BSD, Windows).

-    [Visit gopass.pw](https://www.gopass.pw){ .md-button .md-button--primary }
+    [Homepage](https://www.gopass.pw){ .md-button .md-button--primary }

    ??? downloads

--- a/docs/productivity.en.md
+++ b/docs/productivity.en.md
@ -14,7 +14,7 @@ Get working and collaborating without sharing your documents with a middleman or

    **LibreOffice** is a free and open-source office suite with extensive functionality.

-    [Visit libreoffice.org](https://www.libreoffice.org){ .md-button .md-button--primary } [Privacy Policy](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .md-button }
+    [Homepage](https://www.libreoffice.org){ .md-button .md-button--primary } [Privacy Policy](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .md-button }

    ??? downloads

@ -37,7 +37,7 @@ Get working and collaborating without sharing your documents with a middleman or

    **OnlyOffice** is alternative, it is free and open-source office suite with extensive functionality.

-    [Visit onlyoffice.com](https://www.onlyoffice.com){ .md-button .md-button--primary } [Privacy Policy](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .md-button }
+    [Homepage](https://www.onlyoffice.com){ .md-button .md-button--primary } [Privacy Policy](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .md-button }

    ??? downloads

@ -59,7 +59,7 @@ Get working and collaborating without sharing your documents with a middleman or

    **Framadate** is a free and open-source online service for planning an appointment or making a decision quickly and easily. No registration is required.

-    [Visit framadate.org](https://framadate.org){ .md-button .md-button--primary }
+    [Homepage](https://framadate.org){ .md-button .md-button--primary }

    ??? downloads

@ -75,7 +75,7 @@ Get working and collaborating without sharing your documents with a middleman or

    **PrivateBin** is a minimalist, open-source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256-bit AES. It is the improved version of ZeroBin.

-    [Visit privatebin.info](https://privatebin.info){ .md-button .md-button--primary }
+    [Website](https://privatebin.info){ .md-button .md-button--primary }

    ??? downloads

@ -92,7 +92,7 @@ Get working and collaborating without sharing your documents with a middleman or

    **CryptPad** is a private-by-design alternative to popular office tools. All content is end-to-end encrypted.

-    [Visit cryptpad.fr](https://cryptpad.fr){ .md-button .md-button--primary } [Privacy Policy](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .md-button }
+    [Website](https://cryptpad.fr){ .md-button .md-button--primary } [Privacy Policy](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .md-button }

    ??? downloads

@ -112,7 +112,7 @@ Get working and collaborating without sharing your documents with a middleman or

    **Write.as** is a cross-platform, privacy-oriented blogging platform. It's anonymous by default, letting you publish without signing up. If you create an account, it doesn't require any personal information. No ads, distraction-free, and built on a sustainable business model.

-    [Visit write.as](https://write.as){ .md-button .md-button--primary } [:pg-tor:](http://writeasw4b635r4o3vec6mu45s47ohfyro5vayzx2zjwod4pjswyovyd.onion){ .md-button } [Privacy Policy](https://write.as/privacy){ .md-button }
+    [Website](https://write.as){ .md-button .md-button--primary } [:pg-tor:](http://writeasw4b635r4o3vec6mu45s47ohfyro5vayzx2zjwod4pjswyovyd.onion){ .md-button } [Privacy Policy](https://write.as/privacy){ .md-button }

    ??? downloads

@ -134,7 +134,7 @@ Get working and collaborating without sharing your documents with a middleman or

    **VSCodium** is a free and open-source project featuring binaries of [Visual Studio Code](https://code.visualstudio.com) without Microsoft's branding/telemetry/licensing.

-    [Visit vscodium.com](https://vscodium.com){ .md-button .md-button--primary }
+    [Homepage](https://vscodium.com){ .md-button .md-button--primary }

    ??? downloads

--- a/docs/qubes.en.md
+++ b/docs/qubes.en.md
@ -12,7 +12,7 @@ Qubes OS is a distribution of Linux that uses [Xen](https://en.wikipedia.org/wik

    **Qubes** is an open-source operating system designed to provide strong security for desktop computing. Qubes is based on Xen, the X Window System, and Linux, and can run most Linux applications and utilize most of the Linux drivers.

-    [Visit qubes-os.org](https://www.qubes-os.org/){ .md-button .md-button--primary } [:pg-tor:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .md-button } [Privacy Policy](https://www.qubes-os.org/privacy){ .md-button }
+    [Homepage](https://www.qubes-os.org/){ .md-button .md-button--primary } [:pg-tor:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .md-button } [Privacy Policy](https://www.qubes-os.org/privacy){ .md-button }

    ??? downloads

--- a/docs/real-time-communication.en.md
+++ b/docs/real-time-communication.en.md
@ -14,7 +14,7 @@ icon: material/chat-processing

    All communications are E2EE. Contact lists are encrypted using your login PIN and the server does not have access to them. Personal profiles are also encrypted and only shared with contacts who add you.

-    [Visit signal.org](https://signal.org/){ .md-button .md-button--primary }
+    [Homepage](https://signal.org/){ .md-button .md-button--primary }

    ??? downloads

@ -43,13 +43,14 @@ The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf)

    Messages and files shared in private rooms (those which require an invite) are by default E2EE as are 1 to 1 voice and video calls.

-    [Visit element.io](https://element.io/){ .md-button .md-button--primary }
+    [Website](https://element.io/){ .md-button .md-button--primary }

    ??? downloads

        - [:fontawesome-brands-windows: Windows](https://element.io/get-started)
        - [:fontawesome-brands-apple: macOS](https://element.io/get-started)
        - [:fontawesome-brands-linux: Linux](https://element.io/get-started)
+        - [:octicons-browser-16: Browser](https://app.element.io)
        - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=im.vector.app)
        - [:pg-f-droid: F-Droid](https://f-droid.org/packages/im.vector.app/)
        - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/app/vector/id1083446067)
@ -71,7 +72,7 @@ The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matr

    **Briar** is an encrypted instant messenger that [connects](https://briarproject.org/how-it-works/) to other clients using the Tor Network. Briar can also connect via Wi-Fi or Bluetooth when in local proximity. Briar’s local mesh mode can be useful when internet availability is a problem.

-    [Visit briarproject.org](https://briarproject.org/){ .md-button .md-button--primary }
+    [Homepage](https://briarproject.org/){ .md-button .md-button--primary }

    ??? downloads

@ -95,7 +96,7 @@ Briar supports perfect forward secrecy by using the Bramble [Handshake](https://

    **Session** is an encrypted instant messenger that uses three random [service nodes](https://getsession.org/blog/onion-requests-session-new-message-routing-solution) to route messages anonymously on the [Oxen Network](https://oxen.io).

-    [Visit getsession.org](https://getsession.org/){ .md-button .md-button--primary }
+    [Homepage](https://getsession.org/){ .md-button .md-button--primary }

    ??? downloads

--- a/docs/router.en.md
+++ b/docs/router.en.md
@ -6,9 +6,6 @@ Below are a few alternative operating systems, that can be used on routers, Wi-F

 ### OpenWrt

-!!! note
-    Consult the [Table of Hardware](https://openwrt.org/toh/start) to check if your device is supported.
-
 !!! recommendation

    ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ align=right }
@ -16,12 +13,14 @@ Below are a few alternative operating systems, that can be used on routers, Wi-F

    **OpenWrt** is an operating system (in particular, an embedded operating system) based on the Linux kernel, primarily used on embedded devices to route network traffic. The main components are the Linux kernel, util-linux, uClibc, and BusyBox. All components have been optimized for size, to be small enough for fitting into the limited storage and memory available in home routers.

-    [Visit openwrt.org](https://openwrt.org){ .md-button .md-button--primary }
+    [Homepage](https://openwrt.org){ .md-button .md-button--primary }

    ??? downloads

        - [:fontawesome-brands-git: Source](https://git.openwrt.org)

+You can consult OpenWrt's [table of hardware](https://openwrt.org/toh/start) to check if your device is supported.
+
 ### pfSense

 !!! recommendation
@ -31,7 +30,7 @@ Below are a few alternative operating systems, that can be used on routers, Wi-F

    pfSense is an open source firewall/router computer software distribution based on FreeBSD. It is installed on a computer to make a dedicated firewall/router for a network and is noted for its reliability and offering features often only found in expensive commercial firewalls. pfSense is commonly deployed as a perimeter firewall, router, wireless access point, DHCP server, DNS server, and VPN endpoint.

-    [Visit pfsense.org](https://www.pfsense.org){ .md-button .md-button--primary } [Privacy Policy](https://www.pfsense.org/privacy.html){ .md-button }
+    [Homepage](https://www.pfsense.org){ .md-button .md-button--primary } [Privacy Policy](https://www.pfsense.org/privacy.html){ .md-button }

    ??? downloads

--- a/docs/search-engines.en.md
+++ b/docs/search-engines.en.md
@ -18,11 +18,9 @@ Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org/) if your thr

    DuckDuckGo uses a commercial Bing API and various [other sources](https://help.duckduckgo.com/results/sources) to provide its search data.

-    [Visit duckduckgo.com](https://duckduckgo.com){ .md-button .md-button--primary } [:pg-tor:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .md-button } [Privacy Policy](https://duckduckgo.com/privacy){ .md-button }
+    [Website](https://duckduckgo.com){ .md-button .md-button--primary } [:pg-tor:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .md-button } [Privacy Policy](https://duckduckgo.com/privacy){ .md-button }

-!!! note
-
-    DuckDuckGo is based in the 🇺🇸 US. Their [Privacy Policy](https://duckduckgo.com/privacy) states they do log your search query, but not your IP or any other identifying information.
+DuckDuckGo is based in the :flag_us: US. Their [Privacy Policy](https://duckduckgo.com/privacy) states they **do** log your search query, but not your IP or any other identifying information.

 DuckDuckGo has a [lite](https://duckduckgo.com/lite) and [html](https://duckduckgo.com/html) only version, both of which [do not require JavaScript](https://help.duckduckgo.com/features/non-javascript) and can be used with their [Tor onion address](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion) (append [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) or [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) for the respective version).

@ -34,11 +32,9 @@ DuckDuckGo has a [lite](https://duckduckgo.com/lite) and [html](https://duckduck

    **Startpage** is a search engine that provides Google search results. It is a very convenient way to get Google search results without experiencing dark patterns such as difficult captchas or being refused access because you used a [VPN](vpn.md) or [Tor](https://www.torproject.org/download/).

-    [Visit startpage.com](https://www.startpage.com){ .md-button .md-button--primary } [Privacy Policy](https://www.startpage.com/en/privacy-policy){ .md-button }
+    [Website](https://www.startpage.com){ .md-button .md-button--primary } [Privacy Policy](https://www.startpage.com/en/privacy-policy){ .md-button }

-!!! note
-
-    Startpage is based in the 🇳🇱 Netherlands. According to their [Privacy Policy](https://www.startpage.com/en/privacy-policy/), they only log details such as: operating system, type of browser and language. They do not log your IP address, search queries or other identifying information. Startpage proxies Google Search so Google does have access to your search queries.
+Startpage is based in the :flag_nl: Netherlands. According to their [Privacy Policy](https://www.startpage.com/en/privacy-policy/), they only log details such as: operating system, type of browser and language. They do not log your IP address, search queries or other identifying information. Startpage proxies Google Search so Google does have access to your search queries.

 Startpage's majority shareholder is System1 who is an adtech company. We don't think that is an issue as they have their own Privacy Policy. The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) for clarification and was satisfied by the answers we received.

@ -50,30 +46,27 @@ Startpage's majority shareholder is System1 who is an adtech company. We don't t

    **Mojeek** is another privacy friendly search engine. They use their own crawler to provide search data.

-    [Visit mojeek.com](https://www.mojeek.com){ .md-button .md-button--primary } [Privacy Policy](https://www.mojeek.com/about/privacy){ .md-button }
+    [Website](https://www.mojeek.com){ .md-button .md-button--primary } [Privacy Policy](https://www.mojeek.com/about/privacy){ .md-button }

-!!! note
+The company is based in the :flag_gb: UK. According to their [Privacy Policy](https://www.mojeek.com/about/privacy/), they log the originating country, time, page requested, and referral data of each query. IP addresses are not logged.

-    The company is based in the 🇬🇧 UK. According to their [Privacy Policy](https://www.mojeek.com/about/privacy/), they log the originating country, time, page requested, and referral data of each query. IP addresses are not logged.
-
-### Searx
+### SearXNG

 !!! recommendation

-    ![Searx logo](assets/img/search-engines/searx.svg){ align=right }
+    ![SearXNG logo](assets/img/search-engines/searxng.svg){ align=right }

-    **Searx** is an open-source, self-hostable, metasearch engine, aggregating the results of other search engines while not storing information about its users. There is a [list of public instances](https://searx.space/).
-
-    [Visit searx.github.io](https://searx.github.io/searx){ .md-button .md-button--primary } [:pg-tor:](http://searxspbitokayvkhzhsnljde7rqmn7rvoga6e4waeub3h7ug3nghoad.onion){ .md-button }
+    **SearXNG** is an open-source, self-hostable, metasearch engine, aggregating the results of other search engines while not storing information about its users. It is an actively maintained fork of [SearX](https://github.com/searx/searx). There is a [list of public instances](https://searx.space/).

+    [Homepage](https://searxng.org){ .md-button .md-button--primary }
    ??? downloads

-        - [:fontawesome-brands-github: Source](https://github.com/asciimoo/searx)
+        - [:fontawesome-brands-github: Source](https://github.com/searxng/searxng)

-Searx is a proxy between the user and the search engines it aggregates from. Your search queries will still be sent to the search engines that Searx gets its results from.
+SearXNG is a proxy between the user and the search engines it aggregates from. Your search queries will still be sent to the search engines that SearXNG gets its results from.

-When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Searx, as other people looking up illegal content on your instance could draw unwanted attention from authorities.
+When self-hosting, it is important that you have other people using your instance so that the queries would blend in. You should be careful with where and how you are hosting SearXNG, as users looking up illegal content on your instance could draw unwanted attention from authorities.

-When you are using a Searx instance, be sure to go read the Privacy Policy of that specific instance. Searx instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII (Personally Identifiable Information).
+When you are using a SearXNG instance, be sure to go read their privacy policy. Since SearXNG instances may be modified by their owners, they do not necessarily reflect their privacy policy. Some instances run as a Tor hidden service, which may grant some privacy as long as your search queries does not contain PII.

 --8<-- "includes/abbreviations.en.md"
--- a/docs/self-contained-networks.en.md
+++ b/docs/self-contained-networks.en.md
@ -14,7 +14,7 @@ If you are currently browsing clearnet and want to access the dark web, this sec

    The **Tor** network is a group of volunteer-operated servers that allows people to improve their privacy and security on the Internet. Tor's users employ this network by connecting through a series of virtual tunnels rather than making a direct connection, thus allowing both organizations and individuals to share information over public networks without compromising their privacy. Tor is an effective censorship circumvention tool.

-    [Visit torproject.org](https://www.torproject.org){ .md-button .md-button--primary } [:pg-tor:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .md-button }
+    [Homepage](https://www.torproject.org){ .md-button .md-button--primary } [:pg-tor:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .md-button }

    ??? downloads

@ -38,7 +38,7 @@ If you are currently browsing clearnet and want to access the dark web, this sec

    **I2P** is a computer network layer that allows applications to send messages to each other pseudonymously and securely. Uses include anonymous Web surfing, chatting, blogging, and file transfers. The software that implements this layer is called an I2P router and a computer running I2P is called an I2P node. The software is free and open-source and is published under multiple licenses.

-    [Visit geti2p.net](https://geti2p.net){ .md-button .md-button--primary } [:pg-i2p:](http://i2p-projekt.i2p){ .md-button }
+    [Homepage](https://geti2p.net){ .md-button .md-button--primary } [:pg-i2p:](http://i2p-projekt.i2p){ .md-button }

    ??? downloads

@ -61,7 +61,7 @@ If you are currently browsing clearnet and want to access the dark web, this sec

    **Freenet** is a peer-to-peer platform for censorship-resistant communication. It uses a decentralized distributed data store to keep and deliver information, and has a suite of free software for publishing and communicating on the Web without fear of censorship. Both Freenet and some of its associated tools were originally designed by Ian Clarke, who defined Freenet's goal as providing freedom of speech on the Internet with strong anonymity protection.

-    [Visit freenetproject.org/](https://freenetproject.org){ .md-button .md-button--primary }
+    [Homepage](https://freenetproject.org){ .md-button .md-button--primary }

    ??? downloads

--- a/docs/setup/integrating-metadata-removal.en.md
+++ b/docs/setup/integrating-metadata-removal.en.md
@ -7,8 +7,7 @@ When sharing files, it's important to remove associated metadata. Image files co

 While there are plenty of metadata removal tools, they typically aren't convenient to use. The guides featured here aim to detail how to integrate metadata removal tools in a simple fashion by utilizing easy-to-access system features.

-!!! tip "Related"
-    For a list of the metadata removal tools that we recommend, visit our [metadata removal tools](../metadata-removal-tools.md) page.
+- [Recommended metadata removal tools :material-arrow-right:](../metadata-removal-tools.md)

 ## macOS

--- a/docs/technology/dns.en.md
+++ b/docs/technology/dns.en.md
@ -163,7 +163,7 @@ Governments, in particular [China](https://www.zdnet.com/article/china-is-now-bl

 ### Online Certificate Status Protocol (OCSP)

-Another way your browser can disclose your browsing activities is with the [Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). When visiting a [HTTPS](https://en.wikipedia.org/wiki/HTTPS) website, the browser might check to see if the website's [certificate](https://en.wikipedia.org/wiki/Public_key_certificate) has been revoked. This is generally done through the HTTP protocol, meaning it is **not** encrypted.
+Another way your browser can disclose your browsing activities is with the [Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). When visiting a HTTPS website, the browser might check to see if the website's [certificate](https://en.wikipedia.org/wiki/Public_key_certificate) has been revoked. This is generally done through the HTTP protocol, meaning it is **not** encrypted.

 The OCSP request contains the certificate "[serial number](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", which is unique. It is sent to the "OCSP responder" in order to check its status.

--- a/docs/tools.en.md
+++ b/docs/tools.en.md
@ -125,7 +125,6 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 - ![Disroot logo](assets/img/email/mini/disroot.svg#only-light){ .twemoji }![Disroot logo](assets/img/email/mini/disroot-dark.svg#only-dark){ .twemoji } [Disroot](https://disroot.org/)
 - ![Tutanota logo](assets/img/email/mini/tutanota.svg){ .twemoji } [Tutanota](https://tutanota.com/)
 - ![StartMail logo](assets/img/email/mini/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/mini/startmail-dark.svg#only-dark){ .twemoji } [StartMail](https://startmail.com/)
- ![CTemplar logo](assets/img/email/mini/ctemplar.svg#only-light){ .twemoji }![CTemplar logo](assets/img/email/mini/ctemplar-dark.svg#only-dark){ .twemoji } [CTemplar](https://ctemplar.com/)

 </div>

@ -155,8 +154,8 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b

 - ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](https://duckduckgo.com/)
 - ![Startpage logo](assets/img/search-engines/startpage.svg){ .twemoji } [Startpage](https://www.startpage.com/)
- ![Mojeek logo](assets/img/search-engines//mini/mojeek.svg){ .twemoji } [Mojeek](https://www.mojeek.com/)
- ![Searx logo](assets/img/search-engines/searx.svg){ .twemoji } [Searx](https://searx.me/)
+- ![Mojeek logo](assets/img/search-engines/mini/mojeek.svg){ .twemoji } [Mojeek](https://www.mojeek.com/)
+- ![SearXNG logo](assets/img/search-engines/mini/searxng-wordmark.svg){ .twemoji } [SearXNG](https://searxng.org)

 </div>

@ -170,7 +169,7 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b

    If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN.

-    If you're looking for added **security**, you should always ensure you're connecting to websites using [HTTPS](https://en.wikipedia.org/wiki/HTTPS). A VPN is not a replacement for good security practices.
+    If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices.

    [Learn more :material-arrow-right:](vpn.md)

@ -206,6 +205,8 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b

 - ![Joplin logo](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](https://joplinapp.org/)
 - ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](https://standardnotes.org/)
+- ![EteSync Notes logo](assets/img/notebooks/etesync-notes.png){ .twemoji } [EteSync Notes](https://www.etesync.com/)
+- ![Org-mode logo](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](https://orgmode.org/)

 </div>

--- a/docs/video-streaming.en.md
+++ b/docs/video-streaming.en.md
@ -16,7 +16,7 @@ The primary threat when using a video streaming platform is that your streaming

    By default, FreeTube blocks all YouTube advertisements. In addition, FreeTube optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments.

-    [Visit freetubeapp.io](https://freetubeapp.io){ .md-button .md-button--primary } [Privacy Policy](https://freetubeapp.io/privacy.php){ .md-button }
+    [Homepage](https://freetubeapp.io){ .md-button .md-button--primary } [Privacy Policy](https://freetubeapp.io/privacy.php){ .md-button }

    ??? downloads

@ -40,7 +40,7 @@ The primary threat when using a video streaming platform is that your streaming

    **The LBRY desktop client** helps you stream videos from the LBRY network and stores your subscription list in your own LBRY wallet.

-    [Visit lbry.com](https://lbry.com){ .md-button .md-button--primary } [Privacy Policy](https://lbry.com/privacypolicy){ .md-button }
+    [Website](https://lbry.com){ .md-button .md-button--primary } [Privacy Policy](https://lbry.com/privacypolicy){ .md-button }

    ??? downloads

@ -59,7 +59,7 @@ The primary threat when using a video streaming platform is that your streaming

 We recommend **against** synchronizing your wallet with LBRY Inc., as synchronizing encrypted wallets is not supported yet. If you synchronize your wallet with LBRY Inc., you have to trust them to not look at your subscription list, [LBC](https://lbry.com/faq/earn-credits) funds, or take control of your channel.

-You can  disable *Save hosting data to help the LBRY network* option (:gear: Settings → Advanced Settings) to avoid exposing your IP address and watched videos when using LBRY for a prolonged period of time.
+You can disable *Save hosting data to help the LBRY network* option in :gear: **Settings** → **Advanced Settings**, to avoid exposing your IP address and watched videos when using LBRY for a prolonged period of time.

 ### NewPipe

@ -71,7 +71,7 @@ You can  disable *Save hosting data to help the LBRY network* option (:gear: Set

    Your subscription list and playlists are saved locally on your Android device.

-    [Visit newpipe.net](https://newpipe.net){ .md-button .md-button--primary } [Privacy Policy](https://newpipe.net/legal/privacy){ .md-button }
+    [Homepage](https://newpipe.net){ .md-button .md-button--primary } [Privacy Policy](https://newpipe.net/legal/privacy){ .md-button }

    ??? downloads

@ -103,7 +103,7 @@ This fork is not endorsed by or affiliated with the upstream project. The NewPip

    **Invidious** is a free and open source front end for YouTube that is also self-hostable. There are list of [public instances](https://instances.invidious.io). Some instances have [Tor](https://www.torproject.org) onion services support.

-    [Visit invidious.io](https://invidious.io){ .md-button .md-button--primary } [Privacy Policy](){ .md-button }
+    [Website](https://invidious.io){ .md-button .md-button--primary } [Privacy Policy](){ .md-button }

    ??? downloads

@ -132,7 +132,7 @@ When you are using an Invidious instance, be sure to go read the Privacy Policy

    Piped requires JavaScript in order to function.

-    [Visit piped.kavin.rocks](https://piped.kavin.rocks/){ .md-button .md-button--primary }
+    [Website](https://piped.kavin.rocks/){ .md-button .md-button--primary }

    ??? downloads

--- a/docs/vpn.en.md
+++ b/docs/vpn.en.md
@ -11,11 +11,11 @@ Find a no-logging VPN operator who isn’t out to sell or read your web traffic.

    If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN.

-    If you're looking for added **security**, you should always ensure you're connecting to websites using [HTTPS](https://en.wikipedia.org/wiki/HTTPS). A VPN is not a replacement for good security practices.
+    If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices.

    [Download Tor](https://www.torproject.org/){ .md-button .md-button--primary } [Tor Myths & FAQ](https://medium.com/privacyguides/slicing-onions-part-1-myth-busting-tor-9ec188ae1904){ .md-button }

-??? info "When are VPNs useful?"
+??? question "When are VPNs useful?"

    If you're looking for additional **privacy** from your ISP, on a public Wi-Fi network, or while torrenting files, a VPN may be the solution for you as long as you understand the risks involved.

@ -23,7 +23,7 @@ Find a no-logging VPN operator who isn’t out to sell or read your web traffic.

 ## Recommended Providers

-!!! example "Criteria"
+!!! summary "Criteria"

    Our recommended providers are outside the US, use encryption, accept Monero, support WireGuard & OpenVPN, and have a no logging policy. Read our [full list of criteria](#our-criteria) for more information.

@ -38,7 +38,7 @@ Find a no-logging VPN operator who isn’t out to sell or read your web traffic.

    **EUR €60/year**

-    [Visit Mullvad.net](https://mullvad.net){ .md-button .md-button--primary }
+    [Website](https://mullvad.net){ .md-button .md-button--primary } [:pg-tor:](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion){ .md-button }

 ??? check "35 Countries"

@ -98,7 +98,7 @@ Find a no-logging VPN operator who isn’t out to sell or read your web traffic.

    **Free** - **Basic Plan USD $48/year** - **Plus Plan USD $96/year**

-    [Visit ProtonVPN.com](https://protonvpn.com/){ .md-button .md-button--primary }
+    [Website](https://protonvpn.com/){ .md-button .md-button--primary }

 ??? check "44 Countries"

@ -146,7 +146,7 @@ Find a no-logging VPN operator who isn’t out to sell or read your web traffic.

    **Standard USD $60/year** - **Pro USD $100/year**

-    [Visit IVPN.net](https://www.ivpn.net/){ .md-button .md-button--primary }
+    [Website](https://www.ivpn.net/){ .md-button .md-button--primary }

 ??? check "32 Countries"

@ -279,8 +279,8 @@ With the VPN providers we recommend we like to see responsible marketing.
 Must not have any marketing which is irresponsible:

 - Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know users can quite easily deanonymize themselves in a number of ways, eg:
- Reusing personal information eg. (email accounts, unique pseudonyms etc) that they accessed without anonymity software (Tor, VPN etc)
- [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint)
+  - Reusing personal information eg. (email accounts, unique pseudonyms etc) that they accessed without anonymity software (Tor, VPN etc)
+  - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint)
 - Claim that a single circuit VPN is "more anonymous" than Tor, which is a circuit of 3 or more hops that regularly changes.
 - Use responsible language, eg it is okay to say that a VPN is "disconnected" or "not connected", however claiming that a user is "exposed", "vulnerable" or "compromised" is needless use of alarming language that may be incorrect. For example the visiting user might be on another VPN provider's service or using Tor.

@ -288,7 +288,7 @@ Must not have any marketing which is irresponsible:

 Responsible marketing that is both educational and useful to the consumer could include:

- An accurate comparison to when Tor or other [self-contained networks.md](self-contained-networks) should be used.
+- An accurate comparison to when Tor or other [self-contained networks](self-contained-networks.md) should be used.
 - Availability of the VPN provider's website over a .onion [Hidden Service](https://en.wikipedia.org/wiki/.onion)

 ### Additional Functionality
--- a/includes/abbreviations.en.md
+++ b/includes/abbreviations.en.md
@ -1,15 +1,18 @@
 <!-- markdownlint-disable -->
 *[2FA]: 2-Factor Authentication
+*[ADB]: Android Debug Bridge
 *[AOSP]: Android Open Source Project
 *[AVB]: Android Verified Boot
 *[CLI]: Command Line Interface
 *[CSV]: Comma-Separated Values
+*[CVE]: Common Vulnerabilities and Exposures
 *[DNSSEC]: Domain Name System Security Extensions
 *[DNS]: Domain Name System
 *[DoH]: DNS over HTTPS
 *[DoT]: DNS over TLS
 *[E2EE]: End-to-End Encryption/Encrypted
 *[ECS]: EDNS Client Subnet
+*[EOL]: End-of-Life
 *[Exif]: Exchangeable image file format
 *[FDE]: Full Disk Encryption
 *[FIDO]: Fast IDentity Online
@ -21,14 +24,19 @@
 *[HTTPS]: Hypertext Transfer Protocol Secure
 *[HTTP]: Hypertext Transfer Protocol
 *[I2P]: Invisible Internet Project
+*[ICCID]: Integrated Circuit Card Identifier
 *[IMAP]: Internet Message Access Protocol
+*[IMEI]: International Mobile Equipment Identity
+*[IMSI]: International Mobile Subscriber Identity
 *[IP]: Internet Protocol
 *[IPv4]: Internet Protocol version 4
 *[IPv6]: Internet Protocol version 6
 *[ISP]: Internet Service Provider
 *[ISPs]: Internet Service Providers
+*[JNI]: Java Native Interface
 *[LUKS]: Linux Unified Key Setup (Full-Disk Encryption)
 *[MAC]: Media Access Control
+*[MEID]: Mobile Equipment Identifier
 *[MFA]: Multi-Factor Authentication
 *[OCSP]: Online Certificate Status Protocol
 *[OEM]: Original Equipment Manufacturer
@ -39,22 +47,29 @@
 *[OpenPGP]: Open-source implementation of Pretty Good Privacy (PGP)
 *[P2P]: Peer-to-Peer
 *[PGP]: Pretty Good Privacy (see OpenPGP)
+*[PII]: Personally Identifiable Information
 *[QNAME]: Qualified Name
 *[RSS]: Really Simple Syndication
 *[SELinux]: Security-Enhanced Linux
+*[SIM]: Subscriber Identity Module
 *[SMS]: Short Message Service (standard text messaging)
 *[SMTP]: Simple Mail Transfer Protocol
 *[SNI]: Server Name Indication
 *[SSH]: Secure Shell
 *[SaaS]: Software as a Service (cloud software)
+*[SoC]: System on Chip
 *[TCP]: Transmission Control Protocol
 *[TEE]: Trusted Execution Environment
 *[TLS]: Transport Layer Security
 *[TOTP]: Time-based One-Time Password
+*[TPM]: Trusted Platform Module
 *[U2F]: Universal 2nd Factor
 *[UDP]: User Datagram Protocol
 *[VPN]: Virtual Private Network
 *[VoIP]: Voice over IP (Internet Protocol)
 *[W3C]: World Wide Web Consortium
 *[XMPP]: Extensible Messaging and Presence Protocol
+*[attack surface]: The attack surface of software or hardware is the sum of the different places an unauthorized user (the "attacker") can try to enter data to or extract data from.
 *[cgroups]: Control Groups
+*[fork]: In software development, a fork is created when developers take a copy of source code from one software package and start independent development on it, creating a distinct and separate piece of software.
+*[rolling release]: An update release cycle in which updates are released very frequently, instead of at set intervals.
--- a/mkdocs.yml
+++ b/mkdocs.yml
@ -12,6 +12,9 @@ copyright: |

 extra:
  generator: false
+  analytics:
+    provider: plausible
+    property: privacyguides.org
  social:
    - icon: fontawesome/brands/mastodon
      link: https://mastodon.social/@privacyguides
@ -91,6 +94,7 @@ markdown_extensions:
  - pymdownx.tilde
  - pymdownx.snippets
  - attr_list
+  - def_list
  - md_in_html
  - meta
  - abbr
@ -104,6 +108,7 @@ markdown_extensions:
  - footnotes
  - toc:
      permalink: true
+      toc_depth: 4

 extra_javascript:
  - javascripts/mathjax.js
@ -153,9 +158,12 @@ nav:
      - 'news-aggregators.md'
      - 'self-contained-networks.md'
      - 'video-streaming.md'
-  - 'About Us':
+  - 'About':
    - 'about.md'
+    - 'Online Services': 'https://privacyguides.net'
+    - 'about/donate.md'
    - 'about/notices.md'
    - 'about/privacy-policy.md'
+  - 'Donate': '/about/donate/'
  - 'Discussions': 'https://github.com/orgs/privacyguides/discussions'
  - 'Blog': 'https://blog.privacyguides.org/'
--- a/theme/.icons/pg/privacyguides.svg
+++ b/theme/.icons/pg/privacyguides.svg
@ -1,7 +0,0 @@
-<svg clip-rule="evenodd" fill-rule="evenodd" stroke-linejoin="round" stroke-miterlimit="2" version="1.1" viewBox="0 0 9600 9600" xml:space="preserve" xmlns="http://www.w3.org/2000/svg">
-<title>privacyguides</title>
-<g transform="matrix(173.35 0 0 173.35 -1732.7 -1580.4)">
-<path d="m18.466 16.31c-0.187 0.628-0.082 1.363 0.128 2.831l2.659 18.614c0.46 3.216 0.689 4.823 1.298 6.26 0.539 1.274 1.294 2.445 2.232 3.461 1.059 1.147 2.429 2.018 5.169 3.762l3.896 2.479c1.868 1.189 2.802 1.783 3.806 2.015 0.772 0.178 1.57 0.201 2.349 0.069-0.644-1.471-1.001-3.095-1.001-4.804 0-6.627 5.373-12 12-12 1.934 0 3.761 0.458 5.379 1.27 0.113-0.717 0.231-1.541 0.37-2.512l2.659-18.614c0.21-1.468 0.315-2.203 0.128-2.831-0.164-0.554-0.485-1.049-0.923-1.425-0.498-0.427-1.212-0.63-2.638-1.038l-15.656-4.473c-0.491-0.14-0.736-0.21-0.986-0.238-0.221-0.025-0.444-0.025-0.666 0-0.249 0.028-0.495 0.098-0.985 0.238l-15.657 4.473c-1.426 0.408-2.14 0.611-2.637 1.038-0.439 0.376-0.76 0.871-0.924 1.425z" fill-opacity=".31"/>
-<path d="m32.836 13.626c0.11-0.012 0.222-0.012 0.333 0 0.096 0.011 0.202 0.037 0.74 0.19l15.656 4.473c0.735 0.211 1.206 0.346 1.558 0.476 0.335 0.125 0.455 0.207 0.515 0.259 0.22 0.188 0.38 0.435 0.462 0.712 0.023 0.077 0.049 0.22 0.026 0.577-0.024 0.375-0.092 0.859-0.201 1.616l-2.233 15.631c-6.841 0.659-12.19 6.423-12.19 13.437 0 1.385 0.209 2.721 0.596 3.979l-0.747 0.476c-1.963 1.249-2.645 1.658-3.337 1.818-0.666 0.154-1.357 0.154-2.023 0-0.693-0.16-1.375-0.569-3.337-1.818l-3.896-2.479c-2.808-1.787-3.977-2.545-4.872-3.515-0.821-0.889-1.482-1.913-1.954-3.028-0.514-1.215-0.723-2.593-1.194-5.887l-2.659-18.614c-0.108-0.757-0.176-1.241-0.201-1.616-0.023-0.357 3e-3 -0.5 0.026-0.577 0.082-0.277 0.243-0.524 0.462-0.712 0.061-0.052 0.181-0.134 0.515-0.259 0.353-0.13 0.823-0.265 1.558-0.476l15.657-4.473c0.537-0.153 0.644-0.179 0.74-0.19zm22.067 8.675-2.187 15.304c6.647 0.842 11.786 6.517 11.786 13.392 0 7.456-6.044 13.5-13.5 13.5-4.992 0-9.351-2.71-11.687-6.739l-0.353 0.225-0.223 0.141c-1.651 1.053-2.792 1.779-4.051 2.07-1.109 0.255-2.262 0.255-3.371 0-1.259-0.291-2.4-1.017-4.052-2.07l-0.222-0.141-4.089-2.602c-2.556-1.627-4.081-2.597-5.273-3.888-1.055-1.143-1.905-2.46-2.511-3.893-0.686-1.618-0.941-3.407-1.369-6.406l-2.699-18.893c-0.099-0.69-0.184-1.289-0.217-1.793-0.035-0.535-0.021-1.073 0.143-1.625 0.246-0.831 0.728-1.573 1.386-2.137 0.437-0.374 0.922-0.607 1.425-0.794 0.473-0.175 1.056-0.341 1.725-0.533l0.051-0.014 15.656-4.473 0.083-0.024c0.41-0.117 0.771-0.221 1.148-0.263 0.333-0.037 0.668-0.037 1 0 0.378 0.042 0.739 0.146 1.148 0.263l0.083 0.024 15.707 4.487c0.67 0.192 1.252 0.358 1.726 0.533 0.502 0.187 0.988 0.42 1.425 0.794 0.658 0.564 1.139 1.306 1.386 2.137 0.163 0.552 0.178 1.09 0.143 1.625-0.033 0.504-0.119 1.103-0.217 1.792v1e-3zm-3.901 18.196c-5.799 0-10.5 4.701-10.5 10.5s4.701 10.5 10.5 10.5 10.5-4.701 10.5-10.5-4.701-10.5-10.5-10.5zm7.152 6.961c0.531-0.637 0.445-1.583-0.192-2.113-0.636-0.53-1.582-0.445-2.112 0.192l-6.449 7.738-3.338-3.339c-0.586-0.585-1.536-0.585-2.121 0-0.586 0.586-0.586 1.536 0 2.122l4.5 4.5c0.298 0.298 0.707 0.457 1.128 0.438s0.815-0.215 1.084-0.538l7.5-9zm-32.652-17.461c0-4.142 3.358-7.5 7.5-7.5s7.5 3.358 7.5 7.5c0 2.454-1.178 4.632-3 6.001v5.999c0 2.486-2.014 4.5-4.5 4.5-2.485 0-4.5-2.014-4.5-4.5v-5.999c-1.821-1.369-3-3.547-3-6.001zm9 7.5h-3v4.5c0 0.829 0.672 1.5 1.5 1.5 0.829 0 1.5-0.671 1.5-1.5v-4.5zm-1.5-3c2.486 0 4.5-2.014 4.5-4.5 0-2.485-2.014-4.5-4.5-4.5-2.485 0-4.5 2.015-4.5 4.5 0 2.486 2.015 4.5 4.5 4.5z"/>
-</g>
-</svg>
--- a/theme/partials/integrations/analytics/plausible.html
+++ b/theme/partials/integrations/analytics/plausible.html
@ -0,0 +1 @@
+<script defer data-domain="{{ config.extra.analytics.property }}" src="https://stats.privacyguides.net/js/plausible.js"></script>
Author	SHA1	Message	Date
Jonah Aragon	13210d90bc	Add online services and donation information (#1110 )	2022-04-26 23:15:21 -05:00
Jonah Aragon	6c297d4f77	Fix broken PR preview teardowns	2022-04-26 23:13:24 -05:00
Jonah Aragon	669311205f	Plausible analytics (#1112 )	2022-04-26 21:52:59 -05:00
Jonah Aragon	0f4a35d003	Optimized PR Previews	2022-04-26 21:52:13 -05:00
elitejake	8aacb15e21	Add Element web app link (#1106 )	2022-04-26 13:53:02 -05:00
Jonah Aragon	c62de5d29f	Use surge.sh for PR previews (#1108 )	2022-04-26 13:48:56 -05:00
namazso	fce88ba49a	Formatting fixes (#1103 ) Signed-off-by: Daniel Gray <dng@disroot.org>	2022-04-27 00:57:45 +09:30
namazso	25d0374939	Remove CTemplar recommendation (#1104 ) https://ctemplar.com/ctemplar-is-shutting-down/ Signed-off-by: Daniel Gray <dng@disroot.org>	2022-04-27 00:57:34 +09:30
elitejake	4dfed7d77d	Update SearXNG wording and mention it is a fork (#1101 ) Signed-off-by: Daniel Gray <dng@disroot.org>	2022-04-26 00:42:36 +09:30
Daniel Gray	073e904954	Change SearX to more maintained SearXNG (#1099 )	2022-04-24 15:22:52 -05:00
Jonah Aragon	9c0f39f19d	Update primary button text (#1095 ) Co-Authored-By: Daniel Nathan Gray <dng@disroot.org>	2022-04-24 15:19:48 -05:00
Jonah Aragon	e5b494ecb8	Enable Cloudflare Pages (#1100 )	2022-04-24 13:12:18 -05:00
Tommy	ca24eb6ba5	Make the Android pages more consistent (#1086 ) Co-authored-by: Jonah Aragon <jonah@triplebit.net> Signed-off-by: Daniel Gray <dng@disroot.org>	2022-04-25 00:46:26 +09:30
Jonah Aragon	b88beee846	Reduce reliance on external web resources (#1093 ) Signed-off-by: Daniel Gray <dng@disroot.org>	2022-04-25 00:26:23 +09:30
Jonah Aragon	33dc6b1211	Less reliance on external resources	2022-04-25 00:22:06 +09:30
Jonah Aragon	313696132a	Reduce the number of admonitions across the site (#1092 ) Signed-off-by: Daniel Gray <dng@disroot.org>	2022-04-25 00:20:38 +09:30
Jonah Aragon	480e7d5978	Set toc_depth of 4 (#1089 ) Signed-off-by: Daniel Gray <dng@disroot.org>	2022-04-24 23:14:11 +09:30
Daniel Gray	945744e5e9	Fix missing tools entries (#1097 ) Signed-off-by: Daniel Gray <dng@disroot.org>	2022-04-24 14:11:26 +09:30
				`@ -0,0 +1 @@`
				`<script defer data-domain="{{ config.extra.analytics.property }}" src="https://stats.privacyguides.net/js/plausible.js"></script>`